Chris Rouland‘s first startup experiences were full of the usual risks and rewards. But the Atlanta cybersecurity pioneer’s third go-round on the startup carousel, Bastille, is especially loaded with challenges and opportunities.
That’s because Bastille‘s mission is to protect the Internet of Things, a tech development that’s still viewed as something that..well, hasn’t really arrived yet.
“In this case, one of the challenges is we’re entering a market that doesn’t exist,” Rouland told Hypepotamus. “You can’t go point to a list of ten IoT security companies. I just kind of raised my hand and said, ‘We’re the IoT security guys,’ and it’s a greenfield. So it’s exciting, but it certainly is riskier as well.”
Recent developments, however, are helping to mitigate those risks for Rouland, who is a major player in Atlanta’s famed cybersecurity cluster of companies thanks to his roles at Internet Security Systems (1998-2008), Endgame (2008-2012) and Bastille, which he founded in 2014. Last week, he found out that Bastille was named one of ten finalists for the RSA Conference Innovation Sandbox Contest, set for Feb. 29-March 4.
Also last week, no less a public figure than Israeli Prime Minister Benjamin Netanyahu was quoted as saying that “technological progress is a blessing, but also a curse, and the biggest curse is that the Internet of Things is making everything vulnerable.”
While that sounds ominous, it was also unencrypted music to Rouland’s ears.
You’re helping to build this (IoT security space), and it’s your chance to set the standards for how to protect customers. But IoT is still developing. Can you talk about the difficulties in convincing clients that they need protection right now?
Sure. The most important thing is to provide them visibility. So what we typically do is go in for free and provide them an audit to show them what’s in their airspace. Where are the wireless devices that are in your building that you didn’t think you had? And we almost always find some really interesting things in the environment that are serious security flaws that they had no visibility into.
The security of the IoT today, especially the wireless components, really remind me of internet security in the ’90s, and that’s a big problem because while we’ve got devices being taken to market very quickly, conversely the computer security talent and the hackers are much more sophisticated than they were 20 years ago. So when something insecure is brought to market, it is hacked almost instantly.Take me back to your early startup days. Just like the IoT now, the internet was kind of a Wild West back then too.
When ISS started, there were only a million nodes on the internet. I joined in the early stages of that company, and it was a great experience because we saw the rise of the internet as well as being able to see a business go from being small to a very large entity, and then going along for the ride. Then I had some mentorship from Tom Noonan, who was the (ISS) co-founder, to really encourage me to go out on my own and start my own company. I did that successfully with my last venture, and then I got so excited about this I had to do it again.
People talk about serial entrepreneurship as if it’s in their blood, their DNA. Is that the way to describe you?
I don’t have a resume (laughs). It would be hard to go out and get a regular job. It’s not for everybody. You’ve got to be willing to take risks, and certainly your second or third time out it starts to get easier. But there are always different challenges. Atlanta, I think, is a great place to start a security company but it’s not all roses. There’s a lot of competition for talent. You’ve got several hot security startups – Pindrop, Ionic, SecureWorks, Bastille – and we’re all competing for the same talent, so what many of us have done is open offices in San Francisco. It’s just a smart thing to do because there’s a lot of talent there. It’s also an added expense, right?
It’s a very big expense. But one thing I’ve noticed about Silicon Valley that we’re starting to see here is that we’re hiring second-generation engineers now whose parents were computer programmers. So it’s really in their blood. Their parents were in startups.
People always talk about the growth of ISS and SecureWorks, and those companies being bought out by bigger companies, as the start of the Atlanta cybersecurity cluster.
Right, and there was another group with Jay Chaudhry, a serial entrepreneur. AirDefense was one of his companies. There’s a Venn diagram out there that shows the spinoffs out of ISS, like Paul Judge with Pindrop and several other ventures. And so you can see the spinouts and spinoffs of those companies, and certainly when a company exits, some of that management team has the ability to take risks and start new companies, and some people will choose to stay and work for the larger companies because they prefer the security. So it’s not for everyone.
In a startup, you can’t pay what a big company like Coca-Cola and IBM can pay. You just can’t. But on the other side, there’s more upside in the stock, and that’s one of the things that the guys in California really have dialed in, and I look forward to seeing more of the people in Atlanta learning that. I do think some of it has to start at the educational system. Georgia Tech and UGA all have engineers coming here and not understanding how stock options work. That’s a key part of the incentive model and I have to explain it to them.
The startup community is exploding in Atlanta, but what I’ve heard is that a lot of the money is still coming from Silicon Valley and New York. Is that what you’re seeing?
Yeah. There’s an exception: TechOperators does a lot of the Series A investments here. I actually found it’s easy to get security angel or seed money, early stage money here in Atlanta, and then get the larger checks on the West Coast.
I just think it’s somewhat ingrained in their behavior, and perhaps in their policies, that the institutional investors, the venture capitalists in the Southeast prefer to see companies that already have revenue. When you’re engineering a new market, you’re testing a new market, you don’t know, and so West Coast investors are typically more dreamers.
For those entrepreneurs who are about to take part in their first rodeo, what advice would you give? What would you tell them?
Legal fees are your best investment. Not just for (protecting) IP, but the corporate structure, helping to deal with investors, helping to negotiate terms. Especially for the founders, a good corporate counsel is incredibly important. No one wants to spend the money but it’s absolutely worth it.
The second is not to take your first (investment) offer. I see many times kids come in here and they took their first offer. There are twenty investors in town you could have shopped it to, and I think they just get nervous and they want to see the money in the bank. And so you’ve got to stay calm, cool and collected and shop your deal and let your lawyer do their job. There’s something called the expiring term sheet and I’ve probably seen fifty of them that expire at midnight, and they get another one the next day that expires at midnight. The expiring term sheet should not make you nervous.
Of course, when I got my first expiring term sheet, I was terrified, until my lawyer told me, “Don’t worry, you’ll get one next week.”