The founders of BitSight Technologies, Stephen Boyer and Nagarjuna Venna, believed they had a hot idea for a startup: a business that could assess and rate the cybersecurity of other businesses. But they also knew that a great idea means little without great execution. So they turned to someone with a record for building startups, Shaun McConnon.
Initially the founders thought McConnon, now 72, would make a terrific mentor. But in June 2012 McConnon, who had run three cybersecurity startups and sold them for a combined total of $1 billion, signed on as CEO. Boyer says the founders’ decision to bring in McConnon to run the business (they stayed on in technical roles) was an acknowledgment that most startups fail. “I rate them high on courage,” McConnon says. “They knew that I had separated from founders of the three previous companies.”
Today BitSight, based in Cambridge, Massachusetts, is in a sweet spot as companies look for ways to reduce the risks of being hacked. BitSight issues daily ratings that are akin to a credit score for security and help companies flag not only their own risks but also those of the companies they do business with: vendors, partners, acquisition targets. The risks from third parties burst into public consciousness after the 2013 attack on Target, when the credit-and debit-card data of 40 million customers was stolen through an HVAC vendor. While BitSight faces competition from newer entrants like SecurityScorecard and RiskRecon, it retains the advantage of having launched first and raised $95 million (it was recently valued at $340 million).
Named to the FORBES 2016 list of next billion-dollar startups, BitSight has more than 500 customers, including AIG, Safeway, Ferrari and Lowe’s, and has assessed the security of some 70,000 companies. Customers pay on a subscription basis with annual fees ranging from a few thousand dollars to analyze a single company to more than $1 million to review thousands of suppliers. FORBES estimates BitSight’s revenues will reach $50 million in 2017 and $100 million in 2018, when McConnon hopes to take the company public. He expects it to be profitable by 2019.
McConnon has never founded a company himself. Over the past two decades, however, he has sold Raptor Systems to Axent (now part of Symantec) for $250 million, Okena to Cisco for $154 million and Q1 Labs to IBM for some $600 million. “Shaun is a unicorn as a CEO,” says David Aronoff of Flybridge Capital Partners, who has known McConnon for two decades and who connected him with BitSight.
In each case McConnon, who is worth more than $100 million, joined the business at an early stage, brought in investors, made a marketing push and negotiated a sale. At Q1 Labs McConnon changed the direction of the company, taking it from an also-ran in behavioral-anomaly detection to a network-security alternative to Cisco. “Our investors had just invested in us and the category we were in,” says Tom Turner, 46, who has worked with McConnon for much of the past 15 years and is now BitSight’s president. “And Shaun went back to them and said, ‘This isn’t a long-term market .’ … One of Shaun’s great qualities is he does see market trends happening.”
To those used to seeing tech CEOs in hoodies, McConnon is a throwback. When he’s plotting strategy, he likes to sit at the Local, a gastropub near BitSight’s headquarters, and scribble on the backs of the previous week’s menus. He self-published a novel and reads voraciously, passing out books to staff and board members. “He gives me so many books it’s hard to keep up,” says Glenn Solomon, a managing partner at GGV Capital and a BitSight board member. “I’d put his energy level and drive against any of our founders and CEOs despite the fact that he is double the age of many of them.”
McConnon was born in the Flatbush section of Brooklyn in the 1940s, the son of an Irish-American tank man in World War II and a Czech woman. He was a tough kid who got into fights until the police put him in a program and gave him boxing gloves. “I had a chip on my shoulder,” he says.
He studied biology at Roanoke College but ended up in computers, becoming employee No. 74 at Sun Microsystems. At Sun he eventually ran sales in Australia and New Zealand, leaving in 1994 with enough money to retire. Instead he became CEO of his first startup at age 49. “I’m not the idea guy,” he says. “I usually inherit the idea or concept that over the next two years I morph into something that people want and will pay money for.”
At BitSight the idea guys are Boyer, now chief technology officer, and Venna, chief product officer. Both 40, Boyer and Venna met as graduate students at MIT when they were teamed on a class project. The idea for BitSight was simple in concept but excruciatingly difficult to execute. Rather than ask companies about their security risks, they would assess those risks from the outside, observing communications coming into and leaving a company’s network. “In 2011 nobody was paying attention to this. It was not on anyone’s radar,” Venna says. “We were going to VCs and they were saying, ‘That is not an important problem.’ ”
It is now. Cabela’s, the hunting and fishing goods retailer based in Sidney, Nebraska, has been using BitSight for almost a year to monitor its own risks and those of some 85 vendors. The chain has been able to slash the time it takes to vet new vendors from days or even weeks to just hours, says Michael Christian, Cabela’s information security manager for cyber-risk and compliance. “Three or four times, I have actually said no to vendors,” Christian says.
Behind BitSight’s simple scores, which range from 250 to 900, is a complex process and a lot of data. In 2014 McConnon acquired AnubisNetworks, a Portugal-based real-time threat-intelligence provider. The company had the best botnet-detection data in the world, McConnon says, so he bought it for $13 million–even though Anubis was bigger than BitSight. “Within a day,” McConnon says, “I e-mailed my biggest competitor in New York, who was also leasing the data, and told him I was giving him 30 days’ notice that he no longer had access to the data.”
McConnon raised another $40 million in September to ramp up partnerships, add another 100 people to BitSight’s staff of 220 and pursue further acquisitions. As he says, “No one gives you a ribbon in this business for coming in second or third.”
Amy Feldman: I joined the Forbes Entrepreneurs team in May 2016. It’s my second stint at Forbes: I learned the ropes of business journalism under Forbes legendary editor Jim Michaels in the 1990s. I’ve also been a staff writer or senior writer at BusinessWeek, Money and the New York Daily News. In between staff jobs, I’ve worked as a journalist/entrepreneur, writing for Barron’s, Fast Company, Fortune, Inc., the New York Times, Reuters and other publications. I’ve written about everything from penny stock scammers to tax policy. I write here about entrepreneurs and small business, with a focus on financing and a soft spot for a good story. Ping me with ideas, or follow me on Twitter @amyfeldman.