Rapid7’s Mike Tuchen on Cyber Espionage and Startup Lessons
How are companies spying on each other these days? One of the surprising ways I’ve heard about recently is through the webcam in boardrooms.
That’s right, apparently it’s easy to hack into some companies’ video conference systems, because they lie outside typical security measures. Companies sometimes set up video conferences so they can be accessed directly on the Internet—leaving the door open for eavesdroppers to listen in on meetings, or even remotely monitor a conference room via the camera.
One local software company is helping organizations guard against this threat—and many others. Boston-based Rapid7 is one of the leaders in the growing cluster of IT security companies around town. Rapid7’s approach is complementary to firms like NitroSecurity (recently acquired by Intel/McAfee) and Q1 Labs (bought by IBM), which help organizations guard against security threats in their computer networks and systems.
What Rapid7 does is help organizations find security flaws throughout their IT infrastructure, and then test whether they’ve been corrected. To fuel its growth, the company raised a $50 million Series C round from Technology Crossover Ventures in November—one of the largest tech venture rounds in the Boston area lately. (Rapid7 has raised $59 million to date.)
“There’s a lot of cyber-espionage going on in business,” says Mike Tuchen, Rapid7’s CEO (see photo, left). The activity ranges from stealing sales plans, financial information, and intellectual property, to the aforementioned boardroom eavesdropping, he says. And, of course, it’s not just companies spying on each other; it’s governments and nation states as well, all trying to get their hands on everything from Citibank credit card numbers to the special sauce in Apple’s iPad design.
What’s a CEO to do? If you’re Mike Tuchen, you take a promising company and try to make it better. Tuchen joined Rapid7 as chief executive in 2008. (The company has been around since 2000.) Previously he worked at Microsoft as a group program manager and general manager of SQL server marketing. An engineer by training, he also worked at Sun Microsystems and co-founded Paramark, a dot-com-era online advertising startup.
When he arrived at Rapid7, brought in by Bain Capital Ventures (the firm’s original VC investor), Tuchen saw a company that had “a great engineering and sales team” but not much else. He says he didn’t have to tear up the company, just bring in some key additions: marketing, channel partners, new processes, and a broader product roadmap, including a more international market focus.
So far the effort seems to be paying off. The company has grown to about 240 employees (about half in Boston), and Tuchen says revenues are now 10 times what they were in the year before his arrival. Rapid7 had more than 70 percent revenue growth in 2010 over the previous year, and had similar growth in 2011, he says. The company was cash flow positive for much of last year, and after the recent funding round, it expects to be cash flow positive again by mid-2012. Rapid7 will continue to expand, add new product lines, and make acquisitions, Tuchen says.
Rapid7’s business boils down to two main components. One is what Tuchen calls “automated assessment,” whereby the company’s software finds security flaws in an organization’s IT systems—things like software issues and configuration problems. The other area is what he calls “penetration testing,” whereby Rapid7 will test a company’s security system by trying to break in from outside, to demonstrate the urgency of any security flaws and make sure problems have been fixed. The latter business unit grew out of the company’s 2009 acquisition of Metasploit, a security firm that specialized in that form of testing.
Rapid7’s customers include big government organizations like the U.S. Department of Energy, universities such as Carnegie Mellon, defense contractors like Teradyne, and big brands like Liz Claiborne.
Lastly, here are five more highlights from my chat with Tuchen:
—On what he learned from his dot-com startup, Paramark: “We struggled outside of our skill set,” Tuchen says. The four-person founding team was great at engineering and product development, but was sorely lacking in sales, marketing, and profit and loss management, he says. So it’s important to bring in people with complementary talents.
—On advice for new entrepreneurs: Only start a company if you have a strong enough network to hire the first four or five people directly, Tuchen says. Otherwise it can be too much of a slog to get going.
—On Rapid7’s culture: Tuchen boils it down to “high energy.” And he says he largely inherited it when he came in. You can sense the passion and excitement in the company’s open floorplan at its Boston office, he says.
—On hiring: “The most important thing to get right is the people on the team, particularly at the senior levels,” Tuchen says.
—On acquisition targets: Tuchen wouldn’t tip his hand on any impending deals, but Rapid7 is probably looking to follow the Metasploit model. That is, work with a prominent entrepreneur (in that case, HD Moore, an open-source security expert) and combine his or her technical talent and projects with Rapid7’s marketing and sales expertise to build a new part of the business.