Ed Bellis is the co-founder and Chief Technology Officer of Kenna Security, a cybersecurity company that pioneered the risk-based vulnerability management space, and was acquired by Cisco last year. On today’s episode, Jon Sakoda speaks with Ed about his journey from skateboarder to cybersecurity expert, including his advice for first-time founders anxious about always getting it right the first time.
Ed Bellis is the co-founder and Chief Technology Officer of Kenna Security, a cybersecurity company that pioneered the risk-based vulnerability management space, and was acquired by Cisco last year. On today’s episode, Jon Sakoda speaks with Ed about his journey from skateboarder to cybersecurity expert, including his advice for first-time founders anxious about always getting it right the first time.
Follow Jon Sakoda https://twitter.com/jonsakoda
Follow Ed Bellis https://twitter.com/ebellis
Follow Decibel https://twitter.com/DecibelVC
ED BELLIS: We knew that we needed to solve this prioritization problem, but when we went out and founded the company, we didn’t know how we were going to solve it.
JON SAKODA: Welcome to the Decibel podcast. I’m excited to welcome my friend Ed Bellis. Ed was the founder and CTO of Kenna Security, a company that was recently acquired by Cisco. Ed was first a chief information security officer and protected large companies like Bank of America and Orbitz before starting Kenna. He is an advisor to several successful security startups and has also been a great friend to us here at Decibel.
Ed, I am really excited to have you on, and welcome to the show.
ED BELLIS: Thanks, Jon. Thank you for having me. I’m pretty excited to be here, and I can tell you that I’ve listened to a number of episodes, and I’m really excited to finally be a part of one.
JON SAKODA: Ed, not a lot of people know the Kenna story. You guys were a very successful cybersecurity company that went on to have a great exit. You founded the company in the Midwest and were flying under the radar for many years. There are many dimensions of the story that I think the audience is really going to enjoy as we dive in today. But if you don’t mind, could we start at the very beginning? Tell everybody a little bit about where you grew up and what your parents did, and eventually, what led you to become a founder.
ED BELLIS: Yeah, no, absolutely. And that’s a long journey, given my age. So, I grew up just outside of Detroit, actually, in a town called Ferndale. And growing up in Detroit, as you would expect, there is a lot to do with the auto industry. My dad worked as a test driver for General Motors. My mom was actually, I guess, a mail carrier would be the appropriate term. It was very much a kind of blue collar home, blue collar town, although everybody I talk to now who’s still in Detroit tells me that the area I grew up in is now a very trendy and hip area of town. But it was definitely not hip or trendy when I was there.
JON SAKODA: It’s funny that you mention that. I think a lot of founders start out doing something a little different, become successful, and then become trendsetters. Sounds like maybe you were a little early to the trend in your neighborhood. You mentioned your parents had blue collar jobs. Do you remember when you first discovered computers? And was gaming or programming one of your early passions or hobbies?
ED BELLIS: My first computer was an Atari 400. It didn’t even have one of the real keyboards. It had one of those depressed keyboards. I eventually got a cassette tape drive and a modem to go along with it. The modem was kind of life-changing, as you can imagine. I’ve heard a number of your guests talking about this as well. But connecting into the early days of BBSs and things like this. But I spent probably the majority of my time as a youth probably more on my skateboard and on my BMX bike, and all of these types of things than anything. I was definitely one of those kids that would come home, finish up whatever I needed to do, and be out of the house within 20 minutes. And I would come home when the streetlights came on, and that’s what I did almost every day.
JON SAKODA: I can’t help but ask because you just reminded me of something. You were a skateboarder living in the Detroit area. You eventually became a successful security founder. I think many of our listeners also know the story of our mutual friend Dug Song, the founder and CEO of Duo Security, also an avid skateboarder, lived in the Detroit area, became a successful security founder.
Looking back, I just have to ask, what was in the water, or was there something special about growing up in Detroit in the early 2000s that led you all down similar paths?
ED BELLIS: There must be. I don’t know what the heck it is, but yeah, that seems like a few niche things all rolled into one. Seems like more than just a coincidence. It’s funny, but you mentioned Dug. Our co-founder at Kenna, Jeff, he went to the University of Michigan. And he was there while I think Dug at this point had graduated, but one of the things that they were responsible for was monitoring some of the networks there.
JON SAKODA: That’s right. Famously, Dug had to take a job at the University of Michigan and promise to monitor the network because he had previously been caught hacking into the network in his undergraduate years.
ED BELLIS: So, turns out that that’s also how Jeff and Dug met— JON SAKODA: Oh, okay.
ED BELLIS: ... was because Dug was monitoring and Jeff was caught. So, it does seem to be something certainly in the water there in Ann Arbor, at least.
JON SAKODA: One of the things that I love about your founding story is that you were first a cybersecurity practitioner. You were somebody that woke up every day and had to try to protect big companies from cyberattacks. Tell us what it was like doing that job every day, and what led you to the idea to start Kenna?
ED BELLIS: Sure. So, I took a little bit of an unnatural route into kind of being a founder by first spending quite a long time, actually, on the practitioner side. I finally got the opportunity to take a job as security employee number one at Orbitz. I want to say it was right around the end of 2003, beginning of 2004. I was there for about six-and-a-half years. And as part of that, I ended up really starting to run into this problem that we set out to solve ultimately at Kenna, which was to say, on the vulnerability management side, you have way more vulnerabilities than you ever will have the people or tools to actually fix them. So, how is it that you decide what needs to be fixed? How do you prioritize? How do you make sure that you’re not getting exploited doing this, and doing all the right things?
JON SAKODA: If I could ask, since not everyone is a cybersecurity expert, and the audience may not understand why a company needs risk-based vulnerability management, describe for everybody what a day in your life was like at Orbitz. What was the major problem and pain point that you were setting out to solve?
ED BELLIS: Yeah. Yeah, absolutely. So, I mean, the way our team was dealing with this is we would have—think of having a lot of different automated tools out there that are finding a lot of security holes or weaknesses in your networks and your computers and all of your applications and things like that. And think about that, but you’re finding millions of them, or maybe tens of millions of them, or maybe hundreds of millions of them, depending on how big you are. And now know that it takes some time to actually fix those holes, to the point where any given company probably has enough people and resources to fix, on average, about 10%, 15% of those, right? So you’re leaving 85% to 90% of your security holes that some tools or a team of people have found open, and saying, “I have to live with
this,” right, in some way or another. And you do it the next month after that, and you find more. And you’re fixing 10% of those, right? So think of this as you’re growing the pile of debt that you have for security. And it was, forgive the pun, but it was very untenable, right? It almost felt wrong to leave that many vulnerabilities open as a security practitioner.
JON SAKODA: Let’s talk about the jump from being a CISO to being a founder. I think many have made that jump successfully. But if I could stereotype for just a moment, some people believe that CISOs are incredibly talented at imagining what can go wrong. And typically, founders need to be able to do the opposite of that. They need to imagine what can go right, and often shut out all of the fear and anxiety about what can go wrong. What was the transition like for you? How did you do that successfully?
ED BELLIS: Yeah. So, I’m one of those people that tends to be certainly much more of an optimist than a pessimist. And that’s always been hard in this industry in general, whether it be a CISO on the practitioner side or just being in security. There’s always, the sky is falling, everything is bad. It actually kind of speaks, though, to what it is that we do as well, right? And that’s really kind of why I ended up wanting to have a data-driven approach to this, because I was so tired of hearing about, “These are all bad, right? We’ve got to fix them all.” But why? Well, because they are. I needed to have data that showed me, well, what’s the likelihood that something bad is going to happen to me by having all of these security vulnerabilities, right? And nobody could really tell me that.
And if you can show data, you can show hard facts as to, this is the likelihood of this happening. This is the impact of this happening. Here is kind of your total risk. That is something that I can really relate to. And that’s ultimately where we wanted to go. Now, by the way, we knew that we needed to solve this prioritization problem, but when we went out and founded the company, we didn’t know how we were going to solve it. We didn’t have a clear, distinct plan, because a lot of that data back then wasn’t necessarily available, and certainly not in any way that it is today.
But to kind of talk to your question, right, which is, what’s it like to go from practitioner CISO over to kind of founder, it’s different. I don’t recommend it for everybody. You have to have kind of a certain personality to be able to pull that off. I would say I’m happier on the founder side. In fact, I would never—God bless all you CISOs out there, but I don’t think I could ever do that job again. It’s an impossible task.
JON SAKODA: I’m curious what advice you’d give to operators who are thinking about becoming founders. Let’s say you meet a young CISO who looks up to you, is ready to quit his or her job and go and start a company. I know this is a terrifying decision for a lot of people, and with hindsight, we sometimes forget just how scary it can be to take that first step. What would you say to a friend who asks you if it’s a good idea to start a company, knowing just how risky it can be?
ED BELLIS: Well, first off, yes. The answer is yes. It’s almost always yes. But beyond the yes, right, it’s a personal decision more than anything else, right? It’s way beyond what it is that you want to do with your career path. It’s what do you want to do with your life? Because it’s very different to actually found a company than work for a company, as many can attest to. I hate the term work/life balance and work/work balance, or whatever it is. But it’s all blended together, right? Everything that you do, especially early on, is going to kind of determine whether or not you’re successful or not. And even in some cases, a lot of those things are still out of your control.
But don’t found a company because you want to be the boss, right? Because you’re never the boss, really, even early venture-backed companies. You’ve got a board. You’ve got things that you’ve got to be responsible to. Your customers are your boss early on, right? They are throughout the life. Go there because you are really passionate about the problem that you’re trying to solve. And that’s one of the actually big advantages, I think, that CISOs and practitioners have, is they have lived that other side, right? And they’re actually dealing with this problem on a day-to-day basis. And they know what’s super painful, and they know what’s not as painful, and things that they would pay for versus things that they wouldn’t. So, that’s a big advantage, but it’s a totally different lifestyle, really.
JON SAKODA: Can I ask you a personal question that I think many founders struggle with? Its’ about money. I think some people look at cybersecurity and they look at the sky-high valuations and the big exits. Do you think people should start companies because they recognize it’s a great economic opportunity? I know that obviously you guys had a very successful outcome, and maybe that in retrospect is life-changing. But at the very beginning, how much of the decision should be about trying to change your economic opportunity for you and your family?
ED BELLIS: I would say very little, only because the answer is the most likely outcome for you founding a company is that it’s going to fail, ultimately, right? So, if you want to build wealth, you could end up founding and having a really great successful exit. But the most likely path to wealth is not that, right? Most likely, you are going to fail, and you’re going to run into all kinds of problems. You need to be very comfortable with being uncomfortable. For your first time coming out and founding a company, there’s going to be way more that you don’t know than you do know. And that’s totally okay, right? Go ask for help for certain areas.
For me, what I ended up doing is I ended up connecting to a lot of people that I worked with who were on the other side, right? I brought in early on some advisors who were founders and had some success founding security companies at the time. Take advantage of those relationships that you have to learn as much as you can as quickly as you can.
JON SAKODA: Getting back to Kenna, you mentioned that most companies were trying to process hundreds of thousands, if not millions, of security alerts. This clearly is more than any one team can handle at one time. You also admitted that at the time, you knew this was a big problem, but didn’t know exactly how you guys were going to solve it. So, walk us through those early years.
ED BELLIS: Yeah. Yeah. So, I started to talk to a lot of my peers, both internally and then in the industry at large, thinking that this is probably not that big of a deal in terms of the solution or how hard it would be to solve, and found out that pretty much everybody was doing the same things that we were doing, right, which was either large spreadsheets or a homegrown database, and a large team of people, and kind of plowing through as much as they could. But nobody had really solved it beyond just pouring as many people as they could at it and continuously falling behind.
So, that’s when I had actually gave Jeff a call. He had just finished up business school at Columbia. I said, “Hey, I think we got a problem here. And actually, this problem is going to get much worse,” right? So, this was late 2010 at that point. And decided to go out and found a company that we called HoneyApps at the time, which was our first of three names for the company. And we went out and started to build kind of the table stakes for what it was that we were going to do. We raised a small seed round, way smaller than the rounds you see now. I think it was led by Tugboat Ventures, which is out in Palo Alto, and then filled by Hyde Park Angels here in Chicago. And we raised, I want to say, $1.2
million on a $3 million pre, so, very different days back then. And we went and used that to really kind of start to build everything out.
Now, as I describe it, right, the problem that we solve, which is to say, “Hey, you have more vulnerabilities, more security issues than you have people and tools to fix all of these,” right, so I’ve got to be able to prioritize that. But before I can do all of that and make sense of your data, I have to get your data. And there was a lot of work that went into it. I would say the first, I don’t know, 18 to 24 months of our company was really just building out integrations and solving this messy data problem, right? And we couldn’t go out and just build something that was integrating into a few things, right, because one of the things you discover when working early on with proofs of concepts with these prospects is, if you can’t make sense of all my data, you can only make sense of a portion of it, then it’s not worth anything to me.
JON SAKODA: So, you guys are building proof of concepts and talking to customers. But if I understand you right, in the beginning, in order for your product to work, you needed to first ingest all of your customers’ data, which was initially quite hard. Then you also needed to prove to them that there was value in organizing and prioritizing and operationalizing all that data. How did you eventually crack the code to finding product-market fit?
ED BELLIS: Yeah. So, when we raised our seed round from Tugboat, they brought in a gentleman by the name of Roger Thornton. And Roger Thornton at the time was one of the founders of Fortify Software, which does—basically, they look for security issues in your custom code that you write. And he came in, and we were doing the final partner pitch, right? And he was there, and we were talking and presenting our case. And Roger just kept agreeing with everything that we said. “Yes, our customers ask for this all the time, and this. And oh, you guys, have you thought of this? Oh, that’s fantastic,” to the point where we got towards the end, and Dave Wharton, who was the partner at Tugboat, goes, “Roger, would you like to go sit on the other side of the table?” Because he was just a huge advocate for what we were doing.
Anyway, we closed that round. Later on, HP had bought Fortify. Roger had left and then went to become the CTO over at AlienVault, which is a security company in the security information and event management space, which is to say they monitor customers’ networks looking for attacks and different things that are going on. And I ended up meeting Roger again at the RSA Security Conference. And this was, oh, 2012, 2013, somewhere in there. I forget which year at this point. But he sat down with me, and we were doing, and he goes, “Hey, we’ve got a ton of data where our customers have opted in for us to kind of collect, which shows all of these different attacks. And some of these attacks that we’re seeing a lot of are exploitations of vulnerabilities. And we’re starting this thing called the Open Thread Exchange, where we start to collect all of this data. And we’d be interested to know if this is something that would be valuable to your company,” right? And I’d mentioned earlier, I didn’t know where we were going to find this data to make sense of it. Well, this was huge for us.
JON SAKODA: It just sounds like a minor miracle.
ED BELLIS: I would probably maybe even say it wasn’t minor. So of course, I said yes, and we partnered with AlienVault and Roger, and started o consume this into our platform. And then tying that data directly to the data that our customers gave us. So when the customer logged in, not only would they see all of their vulnerabilities in one spot—they would also see, of all these vulnerabilities, what was the most likely thing to be attacked and successfully exploited, which is something they had never
seen before. And that definitely pushed us from a nice to have to a must have, and made those proof of concepts go so much smoother.
JON SAKODA: That’s amazing. What a great story. Now, when you look back in finding product- market fit and then eventually scaling up and building out go-to-market, what were some of the things that went right, and what are some of the lessons learned in that process?
ED BELLIS: Yeah. Probably more lessons learned than things going right, but a little of both. It’s funny, I always talk about that moment with Roger and AlienVault as kind of the early tipping point of product-market fit for us. There’s a little bit of tipping point to go-to-market fit for us as well, which soon followed thereafter. We had brought in a guy by the name of David French. And he came from Qualys. So, what Qualys is, is they’re one of the largest vulnerability assessment companies in the world. And so, in some ways, they were creating the pain point of which we were trying to solve at Kenna, and they were finding lots of vulnerabilities of their customers, which is great. Before you can prioritize them, you have to know about them, right?
But he had come and he had just done a deal when he was at Qualys with Dell Secureworks, where they were a managed service provider, and they would manage all of their customers’ security. And as part of that, now with his Qualys deal, they would also find all of their customers’ vulnerabilities using Qualys. Well, Dell Secureworks was now doing this at mass scale across all of their customers. So, David joined what is now Kenna. It wasn’t Kenna at the time. And we went in and did the same deal with Dell Secureworks to follow up on top of them to basically say, “Okay, now that you’ve found all these vulnerabilities, why don’t you prioritize all those vulnerabilities for your customers as well using risk and using data?”
So, that was a great deal for us. In fact, we went down to Atlanta for their sales kickoff. This was in, I think, February of that year. And they brought in each of their sales teams so we could train them on Kenna, how to sell it, what are the points, and how do you run a POC, and all of this. And each sales team, they’d come in, they’d have an SMB team, a Fortune 500 team, an Asia-Pacific team, a Europe team—all these different sales teams would come in. And every single sales team that came in that we trained was bigger than our entire company. So, this was definitely a great kind of go-to-market moment for us. And then they launched the service, I want to say it was like the first week of May. And within that first week, they had sold more of our product than we had in the history of our company.
JON SAKODA: Wow. That is an incredible story. Can I ask, because I think a lot of founders struggle with this question, is there such a thing as too early to engage a big channel partner? And when do you think you should start to go invest in a relationship where a bigger company can sell your product for you?
ED BELLIS: Yeah. So, you’ve got to be careful. Before you can allow somebody else to sell your product, you have to be able to sell it yourself, right? Whether that’s channel partners or even just hiring salespeople within your own company, right, first, as founders, you have to go out and sell it. And you have to continue to sell it until you know basically how to qualify, what’s important to a customer, how to actually sell this to a customer. Then you can start to hire salespeople. Eventually you can get to the channel. And I would actually argue, if you’re talking about resellers and channel, things like that, you want to start really with smaller guys and kind of niche players or regional players, because frankly, the larger channel partners aren’t going to give you the time of day. And they’re going to expect you to be bringing them business, not the other way around, right? So, you really need to be
able to train yourself and then train your salespeople, and then start small and then get bigger. I wouldn’t necessarily recommend our route for everybody. I think in some ways, we got lucky. I would start smaller, typically.
JON SAKODA: While we are on this topic, do you have any other lessons learned that you can share with founders on go-to-market in your early years?
ED BELLIS: This is a mistake that we made early on, actually, was hiring our first salesperson was a VP of Sales, right? You don’t need a VP of Sales. You need a salesperson, right? You need somebody who can go out and actually roll up their sleeves, and close deals, and work with the customers, especially early on. This is probably a lesson that goes well beyond go-to-market, and I would just say it goes across the entire company, is hire for the kind of stage of a company that you are now, right, not where you eventually want to be. Yeah, I want to be a large public organization selling to large enterprises. That’s great. But that’s not who you’re going to hire out of the gates, right? You need to hire for your current stage and hire appropriately.
JON SAKODA: So, Kenna eventually grew up and was an earlier leader in a space you guys coined “risk-based vulnerability management.” And eventually, you were acquired successfully by Cisco. Would you mind telling us the acquisition story? How did it originally start?
ED BELLIS: Yeah. Jeff and I got an email, it was in December of 2020, from Dug Song, who we were talking about earlier. So obviously, both Jeff and I knew Dug and John, his co-founder, from years back. And so, Dug sent an email to Jeff and I and said, “Hey, we are at a point where Cisco has decided that risk-based vulnerability management is going to be strategic to us, and wanted to know if you guys would be interested in a conversation.” He goes, “I’m not the GM of that business. A guy by the name of Al Huger is running as the GM over there and would be interested in having a discussion with you guys if you’re open to it.”
And so, Jeff and I jumped on the call real quick with Dug just to get a little bit of background and see what it was that they were thinking, and it sounded to me like this was much more around acquisition than it was around partnership. So, went back, called Karim, who we haven’t talked about yet, but he was our CEO at Kenna, and said, “Hey, this sounds like an acquisition discussion. Obviously we kind of have to have it, just the fact that we’re board members, and we have to at least hear what they have to say.” So, we weren’t thinking positive or negatively about any sort of acquisition. Just everybody says, “Oh yeah, just got to go out and run the business.” And that is actually what we were doing. We were not being cliché about this at all.
But we ended up scheduling a call with those guys. And we got on. And this was mid-December of 2020. There was a very large team on the Cisco side, corp dev, a few of the folks on the business side within Al Huger’s organization. And they said, “Okay, so, if you guys are interested in pursuing this, we’re going to give you fair warning here of what this process looks like.” And sure enough, they kind of described the process to a tee. And they lived up to the process the entire way, meaning they told us the milestones, they told us the timeline, they told us exactly what was going to have to happen.
So we went through this series of diligence early in 2021. And there’s a few things that you really have to have in place for a diligence of that size. We were really fortunate to hire both a great CFO and a great VP of HR at the time, which, as you would imagine, at a deal of that size, those people, there was a lot put on their shoulders during that diligence period. But it worked out well, to say the least.
JON SAKODA: Is that words of wisdom for founders out there who are thinking some day that M&A might be in their future, is to just get a great CFO?
ED BELLIS: I would say eventually, yes. Your CFO is certainly not going to be your first hire. Our early days, we spent lot of time, frankly, outsourcing a lot of that, working with CFOs who were doing this for a number of portfolio companies for our investors. But if you’re going to go through a large acquisition like that, by then, those are two really key roles that you have to have already had filled out and been in place for a while.
JON SAKODA: There’s one more really important question I want to ask you. I remember that along the way at Kenna, you decided to bring in a professional CEO. Tell us about that experience, and what kinds of coaching would you give to founders considering such an important decision?
ED BELLIS: I’ll start by saying this was probably always the decision and always the intention, right? I knew there was a lot about running a business that I had not only no experience in doing, but no idea even on how to do that. Yes, you can get advisors. Yes, you can reach out and get help. And I would strongly recommend doing all of that. But personally, and this was a personal decision for me, I didn’t want to learn at the cost or the expense of my company. So, even when I was raising money early on, you know, when we raised our seed and we raised our Series A and things like that, I said, “Guys, I’m the CEO right now, but I won’t always be the CEO.”
So, ended up getting to a point where it was like, look, there’s a lot that I still haven’t yet figured out in this business, especially on the go-to-market side. And then went out and made the decision to hire a CEO, and talked to a number of folks. And ended up talking to Karim Toubba. And I actually had met Karim when I was a CISO at Orbitz. He was actually at a company that we used for encryption appliances, right? And he was kind of a product/product market guy. And he really just kind of—one, we gelled with him personally, which is absolutely a must, right? If you can’t work with this person, then you’re screwed. But beyond that, he really filled a lot of the holes that I thought that not only I personally had, but kind of of our organization also had, right? And it turned out to be very true, because once Karim did end up joining us, we ended up making a number of changes on that side of the house because it was clearly evident that we didn’t do these things correctly.
Karim and I sat down when he first joined, and one of the things that we talked about was, well, where is the sweet spot for the company? And ultimately, the sweet spot for us was, the larger that company is, the more vulnerabilities they have. The more vulnerabilities they have, the bigger of a pain this is for them, and obviously, the more they want this to go away. So we decided, at that point, it was about time to start to go upmarket, right? We had spent most of our time in what I would say is mid-market to SME, the small to mid-enterprise. And that turned out to be a great decision for us from a business perspective. But that also meant a lot of changes and retooling to the business that we did not put in place prior to Karim arriving.
JON SAKODA: Awesome. I know that it has been quite a bit of time since you started the company, but do you have any advice for founders today, and do you have any lessons for your younger self?
ED BELLIS: So, my advice to founders today actually is probably the same advice to my younger self, which is, early on, apply more urgency to everything, right? It’s okay that you are not going to get it right, and it’s okay that you’re going to fail multiple times along the way. But get to those points as quickly as you possibly can so that you can move on and make adjustments.
JON SAKODA: Ed, I know we are running out of time. You have been a great guest. Maybe we’ve inspired a young skateboarder out there to become the next great cybersecurity founder. Thank you for being a fan of the show, thank you for being a supporter of Decibel, and thank you so much for sharing your words of wisdom today.
ED BELLIS: Jon, thanks again for having me, and I hope the founders were able to learn a little something today.