June 2, 2024 • 60 mins
Few cybersecurity companies have been able to bootstrap their way to success – Tenable stands above the rest in this category. The company raised its first round of funding after 10 years of operations. It had $90M of revenue at the time. In the venture world, “Tenable was the best cybersecurity business that nobody had ever heard of.” Today, it is the leading cyber exposure and vulnerability management company with $800M in revenue and over 44,000 customers globally.
In our second episode of ‘Inside the Network’ we sit down with Ron Gula, co-founder and former CEO of Tenable. We learn about his early beginnings and love for fighter jets and UFOs. We dive into his three successful startup journeys, including his most recent run building Tenable over 14 years. And we talk about lessons learned from his investing career at Gula Tech Adventures with over $100M invested in 50+ startups.
After their successful entrepreneurial journey, Ron and his wife Cyndi’s work has continued with Gula Tech Foundation, working to make the cybersecurity sector more diverse and inclusive. Finally, we touch on Ron’s new-found passion as a YouTube influencer – the Joe Rogan of cybersecurity has now garnered over 150K subscribers!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Sid Trivedi (00:04):
Welcome to Inside the Network. I'm Sid Trivedi.
Ross Haleliuk (00:08):
I am Ross Haleliuk.
Mahendra Ramsinghani (00:10):
And I am Mahendra Ramsinghani.
We have spent decades building,investing, and researching
cybersecurity companies.
Sid Trivedi (00:19):
On this podcast, we invite you to join us inside the
network, where we bring the bestfounders, operators, and
investors, building the futureof cyber.
Ross Haleliuk (00:31):
We will talk about the hard parts of the
founder journey. Launchingcompanies, getting to product
market fit, raising capital, andscaling to an exit.
Mahendra Ramsinghani (00:42):
And, yes, we will also be talking about
epic failures.
Sid Trivedi (00:46):
But, Mahendra, we're here to make the founder
journey easier.
Mahendra Ramsinghani (00:49):
That is correct, Sid. But we cannot make
it too much easier becausestartups are hard. And, of
course, you already knew that.
Ross Haleliuk (00:57):
Alright, you too. Enough. Let's get started with
this week's episode.
Welcome, Ron, to inside thenetwork. Before we go into the
episode, we just got out of RSA.It was an exciting conference.
There were over 50,000attendees, and it was great to
see you there too.
What were your key learnings?What did you see?
Ron Gula (01:19):
I think the biggest thing I saw was the excellent
use of artificial intelligence.People who were doing AI for
security talked about it likethat. There was no high level,
superfluous marketing there, andI still can call it the RSAI
conference because AI is gonnaeat the cyber industry. So that
was some of my feedback there.
Ross Haleliuk (01:39):
Yeah. So for me, I haven't really spent all that
much time on the floor. In theout in the, you know, minutes,
or tens of minutes, I did, goaround. The one thing that stood
out was, I don't remember whichvendor specifically was this.
And I genuinely don't remember.
Not only I do don't want to callthem out, but I don't remember
the actual vendor. What wasinteresting to see, there was a
(02:03):
company that had, that didn'thave a booth, so it had an empty
space. And it just had a signredirecting people to another
booth, essentially saying that,hey. This vendor was acquired by
this other big company. Pleasego to that other big company and
talk to them.
To me, that was that was themost insane marketing decision,
(02:23):
insane marketing choice. Youessentially had like, it doesn't
matter who you are as a vendor.What matters is that you got a
space which you can fill howeveryou want, and that is how you
decided to go about it. So tome, that that was the most
insane part. The mostinteresting and the most
unexpected was probably the factthat there were quite a few,
well, there were few, there werenot enough companies tackling AI
(02:49):
for security or security for AI,but specifically AI for
security.
I believe it was only Protect AIand maybe 1 or 2 other vendors
that were in that space, andeverybody else did not really
have a large presence or anypresence at the floor. That was
that was surprising, and thenthere was also probably 1 or 2
vendors in the AI SOC space or,you know, AI engineer, for a
(03:13):
SOC, and the rest are stillprobably in stealth. So that was
surprising and unexpected.
Sid Trivedi (03:18):
For me, I think the most surprising thing was just
seeing Keanu Reeves in an actualmarketing commercial for a
cybersecurity company. Right?That it was just it was it was
unexpected. You know, we've seenover the years, we've had a
whole bunch of high qualityathletes, actors, you know,
titans of industry go andpromote cybersecurity, but that
(03:42):
it was it was very unexpected.In terms of, what I didn't
expect, I think the number ofnations that had not just boots,
but a large presence, whetherthat's the United States.
I mean, the secretary of stateTony Blinken came and did a
keynote, which was amazing justgiven the fact that just days
(04:04):
before he was in Israel tryingto negotiate a ceasefire. And
then he ended up going toUkraine right after this. So he
ended up spending his Mondaycoming in doing a keynote at
RSA, a cybersecurity conferencein the middle of 2 very, very
large conflicts that arehappening globally. I think it
gave us a sense of how much, notjust the United States, but you
(04:26):
also had presence from Germany,presence from, you know, Israel
and other countries who who arephysically there in the expo
halls but also in sessions. Justhow much different nations care
about cybersecurity.
We got to see it in full force.That was that was different.
Mahendra?
Mahendra Ramsinghani (04:46):
No, that's a very interesting point, Sid,
about how the role of governmentis becoming more and more front
and center, not just inWashington DC where policy
papers are being churned out,but actually being a part of the
floor, being a part of theconference, coming and speaking
at these events. And so, Icouldn't agree more that the
(05:08):
role of government is becomingmore and more amplified. You
know, for me, the parts thatwere interesting, to Ross's
point, the company is gettingacquired where a booth is empty.
I spoke with several VCs whowere talking about companies
getting offers. So one companythat is about 5 to 6 million in
(05:33):
revenues has a $800 millionoffer at the table, acquisition
offer.
And I was asking the CEO,Hallelujah, why did you take it?
And the CEO says, Well, becauseI have a VC giving me
$200 million at a $1 billionvaluation. So as much as all the
doom and gloom that we hearabout companies sort of, you
know, not being able to raisemoney, here are some outliers
(05:55):
that I heard.
Another interesting data point II heard was I talked to a bunch
of CISOs asking their views onAI. And consistently, most of
the CISOs said 99.9% of whateverthis AI snake oil is bullshit,
literally. And so, so I justsort of like say, hey, wait a
(06:16):
sec, but those are my companies.Those are investors who are all
excited about AI. And this userwould be like, yeah, yeah, yeah,
your excitement becomes my prop.
Sid Trivedi (06:26):
Too much too much fun.
Well, Ron, let's go a little bitinto kind of a few different
parts of your life, and we'regonna start with a little bit of
information on what you weredoing before Tenable. Of course,
we'll talk about the Tenablestory and all the learnings you
have had. We'll talk a littlebit about after Tenable, both in
(06:47):
terms of your investing career,which is now quite long, as well
as a little bit about whatyou're doing to try to influence
the industry, both through yourfoundation work and and other
work you've done. But let'sstart with your background and
your childhood.
Tell us a little bit about Ronbefore Tenable. Everyone talks
about Ron, you know, this veryfamous founder of Tenable and
(07:09):
CEO for 15 years, but very fewfolks have really understood
your background and where youcame from.
Ron Gula (07:15):
I appreciate the opportunity to share that
because I think everybody incybersecurity should think about
what they're doing as equalimportance as we try to
professionalize our industry.But I was fortunate enough to
grow up. My mom and dad lived upin Syracuse, New York, grew up
in upstate New York, went toClarkson University. 1 of my
roommates was, Marty Roesch, theguy that that did Sourcefire.
(07:36):
Right?
So we were good friends back inthe day, and and, he's doing his
own thing at Netography now. Butfrom Clarkson, I joined the Air
Force. I wanted to be a fighterpilot. I actually got into
fighter pilot flight school.There's a flight school where
you can go to instead of havingto be the 1st in your class to
get an f 16 or an f 22.
You would have to be anybody inthis class and you can get
(07:56):
something. But it turns out Ipulled a little bit of g's and
it didn't really work out toowell for me. So I got out of
that and got into my first love,which was always computers. And
from there, I end up working ona tour at the National Security
Agency where I was doingpenetration testing in the
nineties. And nobody called itCyberback then.
It was information operations,CNO, CNA, computer network
(08:17):
defense, all that kind of goodstuff. But I got to be involved
with some national exercises,something called eligible
receiver, which you can Googleand find a few things, but was
kind of a cool test that was wasinteresting. I was involved with
that a good bit, and, theplanning side. And, I got out,
worked for a, it's a bad term,but a Beltway contractor, BBN.
You know, the people whoinvented the Internet, I got to
(08:39):
meet the guy that did the atsign and and stuff like that.
Got to learn how to dogovernment procurement. But from
there, I really started workingat startups. I joined a company
called US Inter Networking, wassort of like a cloud one o
company. And they were doingthings like buying PeopleSoft
and exchange licenses andselling them to multiple
customers. Nobody heard of SaaSback in the day.
So I got to understand newlicensing and selling new
(09:02):
licensing with new models andwhatnot. But while I was there,
I was running intrusiondetection, so called risk
mitigation. I wasn't the CISO. Iwas the guy doing the pen
testing and keeping hackers out.And, I had the idea to to write
Dragon.
And I came home one day, talkedto my wife, Cyndi, and said, I I
need you to figure out the thebusiness side of things. I'm
gonna figure out how to write aproduct and sell it. And within
(09:24):
18 months, we had sold thatproduct for, just couple double
digits. We had massivedeployments to DOD, Citibank,
AOL, that kind of stuff. And,the people that bought us were
from Interisys, Jack Hufford,And we ended up going on to
start a 10able network security.
So that's a fun story. I lovetelling it. And, you know,
everything we did was kind ofbuilding upon what we did in the
(09:46):
past. And I'm just trying togive back now.
Ross Haleliuk (09:49):
Very interesting. Ron, you started doing
information security well beforeit was called cyber. And it's
interesting to me, what wassecurity like at that time? How
many people worked in theindustry? What was the industry
like?
Where did you meet others? Didyou indeed congregate as a
community, or was it still allvery, disconnected?
Ron Gula (10:09):
So there was a lot of interesting overlap. So, you
know, working at the NSA,working as a pen tester, the
world went through a number ofchanges. Right? We used to hoard
exploits. So if you were on thescene in the nineties, you know,
0 days, you would trade them.
And I still remember trading 0days with various people, and
(10:29):
then something changed in thelate nineties, early 2000. All
of a sudden, it became the coolthing to publish and get credit
for that. So that was a reallybig deal. There was always
collaboration. Like, I mean,Gene Spafford, Matt Bishop, a
lot of these gray beards, theywould come by, you know, the
NSA.
We'd see these people, you know,at RSA. We we would talk to
(10:50):
them, and there's a lot ofcollaboration there. But cyber
wasn't really cyber untilpeople's websites started
getting hacked and peoplestarted, you know, stealing
money from banks and and thatsort of thing, and then the
whole industry just kind of kindof exploded. And if you didn't
kinda grow up in the industry,it's people on the outside who
it's become so insular that ifyou didn't grow up in the
(11:12):
industry, it's really hard toget into the industry. I'm sure
we'll talk about that a goodbit.
Because we speak so manydifferent languages, and then we
have so many things that we doin cyber that just turn non
cyber people off, whether it'sthe language of talking about
hunting the Russians or theChinese on the network. Right?
Which can be a little too overlymilitaristic and maybe turn off,
you know, certain parts of thedemographic and stuff, or just
(11:34):
the the jargon that we do. It'sit's not very inviting to, to
people who want to makedecisions about important things
about where their data is going.So so that's the biggest things
I've seen change over the lastprobably 15, 20 years is just
the popularity of cybersecurityand the continued lack of
understanding of what it doesbecause the technology just
changes so fast.
Sid Trivedi (11:55):
And just, you know, following up on that, Ron, this
question that Ross asked abouthow the cyber community was so
early when you got started, didyou think that you wanted to go
into cyber? Was cyber even a acategory that you define? You
talked about your Air Forcedays. I've read that you wanted
to be a pilot, and and thatwould have been kind of partly
(12:16):
your dream. So how did you kindof fall into to cyber?
Ron Gula (12:19):
Yeah. I I think I'm gonna coin something new. I I
don't think I've said on otherother shows, which is not only
my failed fighter pilot, but butthe basic plan was to to go to
fighter pilot school and getinvolved with, like, the UFO
program. And, so when I startedworking at the NSA, people were
like, oh, are you working withwith the UFOs? Like, no.
I'm not working with that. Of ofcourse, you are. Right? So so
(12:40):
that that you know, I reallywanted to do that sort of stuff.
And one of the reasons that gotme into cyber is I was reading,
you know, the online UFOstories, that sort of thing.
And, I'm not gonna say I wasreading them on YouTube that was
more like a bulletin board. Youhad to get with a modem or
something like that right backin the day. But right next to
those UFO stories was frack.Right next to that, was a ATLGM.
(13:03):
So I was able to to go from thatto, oh, there's a lot of really,
really good things to teachyourself about that.
So that's that's how I kinda gotgot into it. I think a lot of
people back in the day got intoit because it was this sort of
edgy, are you a hacker? Are youan information security
researcher? Regardless, you hadto spend a lot of time teaching
yourself about how how does SNMPwork? How does Ethernet work?
(13:25):
How does how does, you know,these various protocols work?
Mahendra Ramsinghani (13:29):
You know, one of the refreshing parts
about you, Ron, is how you andCyndi together have played this
role in cybersecurity. The 2 ofyou are both investing, doing
good work at the foundation.Even at RSA, you're sort of such
a well integrated couple, bothin your personal lives as well
as your work lives. Incybersecurity, we rarely see
(13:50):
this. In fact, the only otherperson I can think of is Caleb
Sima.
You know, he invited his mom toa talk he gave on AI. And, you
know, the audience just loved itthat he had brought his mom. And
I saw his pictures, he broughthis kids to RSA. So share with
us how we as human beings andindividuals can learn from some
(14:12):
of the things you're doing here.
Ron Gula (14:13):
So it's it's interesting. I didn't set out to
do, this is the 3rd company I'vedone with Cyndi now. And it's
not everybody comes out to usand says, oh my gosh, it's so
good, so unique. And and it's,it's so nice to see, you know, a
loving couple out there do dowork. But the reality is you can
work I I just we were justspeaking at a military
conference called HammerCon.
(14:33):
And we said, look. This issomething you can't do. Like,
you cannot command an aircraftcarrier, and your spouse cannot
be in charge of the, f 18squatter. Right? It's just it's
just not something.
Can't do that in government. Alot of big corporations, you
can't do that. But but if youstart your own company, you can
do whatever you want. And itreally, really worked out that,
(14:54):
when you take a risk to start acompany, you know, your spouse
is taking that risk too. And Ithink I think sometimes people
start companies, and maybe theother spouse is working and it
gives you this kind of a acushion and there's nothing
wrong with that.
But at the time, Cyndi and Iwere were both sort of thinking,
hey, let's go all in on this andwork on it together. And it it
worked out. Then maybe there'sanother universe where it didn't
(15:16):
work out, but but it worked outin this universe. And not only
do we do it once, but we did itagain with Tenable. And in that
story, you know, Cyndi was verygracious, very much backroom,
not front and center.
And you because again, we got alittle bit of negative
connotations with the husbandwife sort of, mom and pop shop
would be the the negative termthere. But now with Gula Tech
(15:39):
Adventures, we speak together alot. She's keynoted on her own.
She's on the boards ofcompanies, you know, and and we
work on a lot of stuff at GoogleTech Adventures as a team. So
that's, you know, some veryexcited about that.
And, you know, not just for, youknow, trying to represent a nice
good marriage and and how to doteamwork and stuff. But it
really helps us when we talk toother companies, even if the
(16:01):
founders aren't married. Right?Or just maybe it's a father and
son. Right?
Or maybe just 2 people fromcollege. You have to answer
questions like how do you makedecisions? How do you resolve
conflict? What are your goals?And, work on those
communications.
So that's really like themessages that we have to say is
like, it just really refined.What are your goals? How do you
communicate? And what are therisks that you're taking?
Mahendra Ramsinghani (16:22):
And you know, the most important part
here, Ron, is that when Cyndisteps up you know, at RSA, we
don't see this balance ofgender, balance of diversity. So
we're very, very grateful thatboth of you do this together. It
also gives opportunity to a lotof other female founders, and
more importantly, female CISOs,who sometimes feel like they may
(16:43):
not necessarily have a voice inthe room or they may feel not as
empowered. So thank you. I knowCyndi is not with us today, but
please extend our gratitude toher.
Ron Gula (16:52):
I will. I will. And we do get that. It's funny because
we do get the opportunity tospeak on a lot of different
things. We've done a lot ofdifferent donations through our
our foundation, a lot ofdifferent competitions.
And we're not experts in thethings that we've tried to
support even though we know thatthey're there. So one of the
ones we did was benefited, youknow, just increasing cyber
awareness at the, boardroomlevel. And, you know, the group
(17:15):
that won it ended up getting,almost a 1000 women trained in
the, qualified technical expertis the standard. I was pretty
excited about that because thatreally increases diversity,
really increases not justdiversity of of the sexes and
and and so but actual diversityof thought. And and that's
really where I think the nationreally benefits.
(17:36):
Like, I like, don't get mewrong. I'm I'm quite happy that
we have a diverse group ofpeople and stuff, but I like
diversity of thought andapproaches so much more. And the
comment I usually make aboutSynchronyze, I think one of the
reasons we work well togetherfor both engineers. We're more
worried about having the correctsolution than being perceived as
having the right solution. Soit's it's pretty good.
(17:59):
And I think one of the thingsthat stories out there, if you
ever watch Ozarks, you know, thelead character, he'll it'll be a
very stressful situation, andsomebody will say something.
He'll be like, that's nothelpful. That's very much how
how we look things like, what ishelpful, what gets us the right
things, and how do youcommunicate about that?
Ross Haleliuk (18:15):
Interesting. One of the things you've just
mentioned, was about the risksof starting companies. And I'm
very curious because today, itfeels as if the whole idea of
entrepreneurship has, to acertain degree, been derisked.
Right? There has been a lot ofeducation around starting
companies.
There is a fairly mature ventureand investor ecosystem. What was
it like when you were startingyour first business?
Ron Gula (18:37):
So it's interesting. You know, coming out of the NSA,
coming out of the air force, youdon't really get a whole lot of
here's how to transition tocivilian. Here's how to
transition to start a company.Nowadays, you do. The the
military has great programs ontransitioning, you know,
veterans in the private sectorand and on but back in the day,
it was very much, oh, go go workat a Beltway band.
(18:57):
It get picked up by by somebodythere. You'll have a you'll have
a good career. You're anengineer, that kind of thing.
There wasn't anybody tapping onyour shoulder that says, look.
If you got a couple ideas, youcan get some coders and and
start a company.
So literally, I I would go tosome economic development, some
it was basically meetings withbusinesses, and I'm sitting next
to people who have, like,cupcake shops. Right? And I'm
good. They're working hard.They're working just as hard as
(19:18):
we are, but it's a different setof stuff when you're doing
cyber.
So what we did in the latenineties, early 2000, we kinda
did on our own. Right? We neverreally talked to venture capital
people. We never really had whatI would consider professional go
to market training. We neverreally had any of that stuff.
And, we did quite well. Andpeople are astounded that we,
you know, brought a company tomarket and sold it to the
(19:41):
federal government, sold it tothe intelligence community, sold
it to major banks, and gotacquired. We have multiple
offers for what we did. So nowwhen we do investing, like, one
of my biggest questions is,like, what's your risk here?
Like, why you don't need toraise money to, like, build a
nuclear reactor.
Right? You you need to sell somestuff. Usually, the founders
selling stuff. And I guess wehave a lot more higher
expectations of startupcompanies. And we're also very,
(20:03):
very aware that when you start acompany, one of the biggest
risks if you're successful issomebody like come along and
make you an offer that you willtake.
Right? Well, you're you're 18months into it, and here comes
Cisco and they buy you. Thatthat happens quite a quite a
bit. So we understand thatfounder's journey a whole lot,
but at the same time, we just weknow a lot of founders. It just
the the team didn't work and,you know, a lot of businesses
(20:25):
don't make it past that 1st yearor 2 years, or they they get
into that zombie state wherethey're making services and it's
business, but it's not a productbusiness, that sort of stuff.
Sid Trivedi (20:39):
Well, we bounced around the idea of Tenable a few
times already. So let's go intoit in a little bit more detail.
In late 2002, you get startedwith this new company, and that
company in the early days isfocused on vulnerability
assessment and management andends up going and creating this
new category, which is calledcyber exposure management today.
But in those very formativeyears, how did you pick Jack
(21:04):
Hufford and Renaud Deraison towork together to go and start
Tenable? And how were you evendividing up responsibilities?
Was it that you were CEO andsomebody was CTO and someone was
CPO? Or were you kind of workingtogether? How did you make that
decision?
Ron Gula (21:19):
Yeah. I I love telling the story because everybody
really needs a great set offounders and a great team. And,
you know, the way I talk aboutit is I had I had Cyndi, I had
Jack, I had Renaud. They allworked extremely well together,
and and it was a reallyinteresting story. Right?
So Jack knew Cyndi and I. He haddone the diligence on acquiring
network security wizards for forInterisys. So he knew how well
(21:42):
Cyndi ran the books, ran theoperations, ran the board
meetings, ran all that kind ofstuff. And of all the companies
they acquired, they said ourswas the easiest, not because we
were the the smallest, but itwas the most well organized. It
just kind of made sense,engineers running all that that
kind of stuff.
So Cyndi and Jack really did alot of the initial, how does the
company work? How do we dopayroll? How do we get an
(22:03):
office? How do we do all thatthat kind of stuff? Renault and
I did a lot of the originalcoding.
I had the CTO. I was probablyone of the few founders, had the
CEO and CTO style. Renault isvery public right now, but in
their early days, Renault wasnot as public. So I would
introduce myself as CEO, CTO.And it's actually something I'll
I'll criticize myself forbecause I actually will call
that out.
And, you know, if you're afounder and you're the CEO,
(22:24):
great. If you're technical,that's that's great too. But but
I got lucky. I mean, every oneof those people smarter than I
am in their areas, and I canspeak their language. So I could
still p speak code, speakarchitecture.
The thing that I think I broughtto Renault and and Jack and
Cyndi was having been a pentester, having been, you know,
an operator, I can put myself inthe operator shoes, and I'm
(22:45):
speaking the customer'slanguage, everybody else's way.
But the reality isdisagreements. But we really
agreed on a lot of things. Imean, and we went 15 years or so
became super, super successful,we really, really worked well
together. And, you know, Idefinitely miss working with
those folks every day, but theculture that we put together is
(23:05):
really kinda I think a meet yourend is doing a great, great job.
But a lot of times when I hearpeople who are working at
Tenable, first thing they sayis, love working here. Love that
culture. It's very enduring.That's kind of that gestation.
Oh, there's one other story.
You never know how you're gonnado it. But when I was doing
Dragon, we had worked withRenault on taking Ness's
vulnerability scans and mappingthem to attacks. Because one of
(23:29):
the things you would do withnetwork intrusion detection is
you could see an attack going toa Linux computer, But if that
computer, in fact, was a Windowscomputer, maybe you could ignore
that attack. So having done thattype of correlation with
Renault, we were like, we knewabout Nessus. We knew we knew
Renault.
We we thought it'd be really,really good to, to have that as
part of the Tenable platform.
Sid Trivedi (23:50):
You talked a little bit about dividing up
responsibilities. I'm curiouswhile you can work together as a
team when you have so many folksin those formative years, who
made the executive decision whenthere were these arguments
between yourself, Jack, Renault,and Cyndi, who was the person
who would say, well, this is theway we're gonna go after a
debate?
Ron Gula (24:08):
Well, I mean, I was I was CEO, so I got to make a lot
of those decisions, but itwasn't like my way or the
highway every day. You don't go16 years making a unilateral
decision, you know, all the timelike that. So I wouldn't I've
just I almost feel a littleuncomfortable talking about it
like that. But at least wetalked about it quite a bit.
Right?
And there were a lot of thingsthat when you really start to
(24:28):
like, I'll give you a goodexample. When we do like, okay,
we're going to change theinternal framework architecture
of Nessus. Great. Are we goingto suffer some customer
features, maybe for a quarter or2, but we're going to then do
it. So like, so Cyndi and Jackwould have a tremendous amount
of of trust of, like, Renaud andI when we made something like
that.
Another thing that we did is weswitched today in 2024. I mean,
(24:51):
everybody sells things.Everything's ARR. Everything's
SaaS. Right?
But back in the the latenineties, you sold thing
perpetual, and you sold aseparate maintenance discussion.
Right? Well, flipping from thatto SaaS was tough. And Bruno,
believe it or not, had a lot ofempathy for the customers. And,
you know, sometimes it was muchmore on the side of, oh, no.
(25:12):
We can't, you know, we can't letthe customer down and and that
sort of thing. And then there'syou know? So the it's it's a
really interesting, you know,discussion at that point. But
I'll just tell you that thediscussions we had were very
healthy, very well respectful,and it was it was good. Now the
hard part though was when Cyndiand I were on different pages.
Right? Because when Cundi and Iwere on different pages, it's
(25:32):
sort of like, hey, mom and dadare fighting. Right? And it's
like, no. No.
We're engineers talking about,you know, these situations and
and that sort of like and werecognize it does put people in
a, an awkward comp you know, anawkward position. But, you know,
you don't you don't hide thefact. Right? I mean, it's,
voluntary related is how we liketo to talk about it.
Ross Haleliuk (25:52):
Ron, Nexus was originally built as an open
source solution forvulnerability scanning. And then
in 2005, it became a proprietarysoftware. Since you've just you
were just talking aboutsubscriptions, what was the
journey of monetizing opensource nearly 2 decades ago?
Like, how did you navigate it?Like, what was hard about it?
Ron Gula (26:10):
Yeah. So when when we went through that, that was
something that if people said,like, what was something you did
well that was really risky? Thatwas something we did really,
really well because we were ableto communicate the change to
people and communicate why wedid it and, you know, give
people alternatives like the,you know, we basically the fork
(26:31):
was out there. Right? So itwasn't like we we were taking it
away from people.
Right? We it it was still outthere. But the reality is like,
everybody thinks of open sourceas free and written by a
community. Well, today, if Isaid open source, the vast
majority of people will focus onfree, and they don't really
focus on community. NASA's workwas tenable.
(26:55):
And we literally we had likehundreds of engineers writing
code, And it was this is notsustainable. Like, this is not a
sustainable, you know, sort oflong term thing. So we wanted to
change that to make a betterproduct for people because we
saw all of these vulnerabilitiescoming and stuff like that. And
also back in the day, we wereactually also penalized for open
(27:15):
source. We would go into dealswhere it would be like, if it's
a half a $1,000,000 deal and anda bank would be like, you need
to buy, like, half $1,000,000 ofof indemnification insurance
because someday somebody mightsue you and then sue us because
of, because of your your sourcecode that you're using.
So so we were we wereincentivized by the market to
kinda go this way, you know,which is a really interesting
(27:38):
thing because nowadays, almosteverybody's everybody's SaaS
offering has some open sourcecode on the back end, but people
don't know it or see it becauseit's behind a mobile app or
behind a web. And, you know,there's plenty of that stuff
that stuff floating around outthere. But, but, yeah, that was
the biggest the the biggestthing I'm proud about with that
is that we communicated itreally well. We had some really
(27:59):
good advisers on how tocommunicate that and put that
out, and it was, no no regretsthere at all.
Mahendra Ramsinghani (28:07):
So, Ron, let's shift gears a little bit
into the venture capital side ofthe journey at Tenable. So,
Tenable raised a $50,000,000Series A a after almost 10 years
of operations. 1st, talk to usabout what that 10 years was
like. You completely bypassedbypassed the classical formula
that most founders use, whichis, I first need money to build
(28:30):
something. And here you aresaying, We're going to build it.
And not only build it, we'llkeep building it for 10 years. I
mean, talk to us about thatphase of the journey. How did
you do it? What were someinternal debates with Cyndi,
with Renault, with Jack, all theups and downs?
Ron Gula (28:45):
So the stories I like to tell about that time are for
founders who are going throughthe struggle right now. So when
we started Tenable, we werefortunate to, you know, come off
of an exit within tariffs. Wehad a little bit of money. We
were not couple less zeroes thanwhat we're dealing with, today,
so to speak. But we were able tofloat a payroll check here and
there.
And so when we talk to foundersabout going it and going through
(29:07):
tough times and deferring salaryand that sort of thing is it's
really because we've we've livedit. And what that allowed us to
do is get to a point whereTenable was basically cash flow
positive. And and at that timewe did that raise, we had
$50,000,000 in the bank. Sopeople ask, well, why did you
raise? And it was for a couplecouple of reasons.
(29:30):
So so one, you know, you reallycan't go public with somebody
who owns a 100% of the stock. Idon't know a 100% of the stock,
right? But I had a good bit ofit, right? It's a lot more than
most founders. Like theemployees and the founders of
Tenable, we owned that company.
There were no investor that hadlike a 3rd or 45%. Right? So we
(29:51):
were not diluted at all by bythat. But at the same time, that
can get you an acquisition, youknow, which is good. And again,
that's a good goal, not wrong.
But if you're looking to gobigger, you're not gonna go
public with that. Right? So thestory then is secondary sales.
And this gets really obtusereally quick, but the reality is
is all those raises we didbenefited the employees and the
(30:13):
founders in such a way that theywere basically pocketing money,
you know, and then going back towork the next day. And we had
multiple moments when we didthat raise where, like, we pull
people into a room, and we hadto explain what secondary sales
were.
And also have to say, like,well, you could sell right now
and pay off your house or holdit, and maybe, you know, someday
(30:34):
there'll be a public offering.Right? That's an awkward and
very fun conversation I hopeevery founder has the ability to
do. But then we also had, like,tactical issues. Like, you know,
we were just being like, today,it's different.
But in the early 2000, formerNSA founder, lives in Maryland,
right next to NSA. I can tellyou for a fact that we're doing
45, 40, $50,000,000 of revenue,product revenue. Everybody else
(30:58):
from California hears, oh,they're a services government
contractor company. Right? Soraising $50,000,000 from an
excellent, you know, venturecapital firm, you know, Accel
Partners was a really, reallybig statement.
You know, so that was that waswhere, where we were looking at
the time.
Mahendra Ramsinghani (31:14):
That's very fascinating, Ron. Can you
share with us how the initialcontact with Accel occurred? And
then what was the postinvestment phase like for the
next before Insight stepped inwith another $250,000,000
Ron Gula (31:29):
check? Yeah, so I give Ping Li from Accel, partners all
the credit. So Ping would meetwith Jack, then he would meet
with me and Jack, pretty much atevery RSA and every Black Hat.
And, you know, every year wedoubled where we were last year,
you know, and it was just it wasjust one of those things. We
just we were we were machines.
We just kept doing what we weredoing because we every year we
(31:50):
thought, oh, maybe this will bethe year we get acquired. You
know? So we weren't thinkingabout going long until we
started hanging out with Ping.We had a couple other funds that
were were talking to us andstuff like that. But, you know,
it's for the the client, thethe, the employees we had at at
Tenable.
You know, again, coming fromsort of the Maryland, Virginia
area, you know, it's a differentthing. There weren't companies
(32:11):
going IPO in the cyber market.We were one of those first
things. So it was really good tohave, Accel Partners come in.
And, you know, Ping and the teamthere came in and met met the
employees.
You know, we did a lot of that.I mean, you know, they were
minority of it, $50,000,000check, minority investors.
That's kind of it. Again, alittle uncomfortable for them to
(32:32):
flying to the east coast. Youknow, that was interesting.
Of course, you know, today, itit this kind of stuff happens
all the time. But again, early2000, mid 2000, it was, it was
interesting. So then, you know,as we matured, we really got
that pre IPO type of thought.And, we hired, Steve Vince. And
Steve Vince, the current CFO ofTenable, a local Howard County
(32:56):
where where I'm I'm from today,joined and just completely
transformed.
And, like, I have so muchrespect for, you know, the team
that got us to where that thatpoint. But when Steve came in,
professional, you know, CFO, FPand a, all that kind of stuff,
and I all of a sudden, I couldstart seeing 4 years, 5 years
into the future. And, you know,with all sorts of models that
(33:16):
really allowed us to startthinking about, oh, maybe it'd
make a lot of sense to raise alot more money at that secondary
thing and take another bite atthat at that apple. And, you
know, along the way, we had acouple of m and a offers. Didn't
really take them.
You know, had to make somedecisions there. But, I think
any company on a run up likethat happens. And of course, I
stepped away, you know, with theidea that Amit's gonna take it
(33:38):
public, and that's exactly whathappened.
Mahendra Ramsinghani (33:39):
Well, I think that what you built is
quite phenomenal. I just wantedto read some statistics for the
benefit of our audience. Thecompany had 20,000 customers at
the time you went public. Youknow, that is a significant
number. Now, what is interestingis that the average contract
value, or ACV, as we might callit, was $5,000 per customer.
(34:02):
So that's how you were up almostabout $200,000,000 in revenues.
Did the VCs fight back on theACV, saying that this is too
small an ACV with a very largenumber of customers? You know,
because at most VCs, you know,we like 6 figure contract values
with a smaller number of logos,but here you are with exactly
the opposite. Can you share alittle more of what happened
(34:22):
inside the VC conversationsaround these numbers?
Ron Gula (34:25):
So, you know, Tenable today, it's very different as
far as what they offer than whatthe when I was running it. But
when we were running it, youknow, we basically had had
Nessus, which was avulnerability scanner. And, you
know, we we added a lot of valueto Nessus, but it was basically
a single user type of, of ofthing, and it went from an
(34:46):
unlimited thing for maybe $1200a year to maybe a per IP thing
for, you know, a couple $1,000 ayear and and but it was for a
user thing. And then we hadsecurity center, which was
really the the enterpriseoffering. And he could buy some
things for it, but that was the$250,000, the $100,000 thing.
You constantly have these 2buckets of, of of revenue that
(35:09):
all had little bit little bitdifferent there. And then, you
know, we were a little bit lateto the cloud game compared to
some of our competitors, but weadded Tenable. Io and that's
where we've been pushing a lotof the the customers, which is
sort of a blend of you can't doas sophisticated of some of the
analysis you need to do withSecurity Center, but it's
certainly more sophisticatedthan Nessus. And, of course,
(35:30):
Tenable has done a lot ofacquisitions, you know, since
then. But but the conversationwas always, and this is where I
go back to all the venturecapital we do today, how do I
license the thing that I sell?
So, I mean, at at some points,you know, we had people using
Nessus, and we said, well, maybeif we gave Nessus away for free,
we could charge a premium forthese, you know, these
(35:51):
enterprise, insights and andanalysis of the data and that
sort of thing. And on on theother hand, you're like, well,
maybe if you give the analysisaway for free, you could sell
more Nessus scanners becausemore people will will like that.
And, you know, I don't think weever got to an answer because,
you know, when I was navigatingit, it was there were you know,
the GRC people wanted to addNessus to what they were doing.
(36:12):
The there was no sore. There wasno, you know, the SIM guys
wanted to add scanners to whatthey were doing.
Of course, now, you know, you'vegot people who do just asset
discovery, like Axonius andstuff like that. And, you know,
I would view that as competitioneven though one's sorta IT
management, one's vulnerabilitymanager. They're they're
related, but they're, you know,they're very, very different
things. And, of course, I didn'ttalk at all about the cloud and
(36:34):
SaaS and mobile devices and allthat kind of stuff. That's one
of the reasons the Tenableproduct line right now is they
call it cyber exposure.
Like a lot of those things don'teven have, you know, IP
addresses right now becausethey're ephemeral. They come and
go. So that's that's kinda wherewe're at.
Mahendra Ramsinghani (36:48):
You correctly said, Ron, that the
company is very different today.And, you know, as I was looking
at the most recent financial,materials that are posted on the
company's website, you know, ithas almost, 1700, large
customers, large meaning morethan 100,000 ACB, And it's gone
from, 200,000,000 revenues whenit went public to today, it's
(37:09):
almost north of 800,000,000. Soit has added 600,000,000 to top
line in 5 years. Compared to 0to 15 years, it added
200,000,000 top line. So verydifferent business.
I mean, how do you, as a leader,see these 2 different phases of
growth? You know, one was aphase of gradual sort of incline
(37:29):
and the other is a very rapidscaling that, Amit is leading.
Ron Gula (37:34):
Yeah. So Amit's very good at that. Like, I mean,
obviously, when we were doingall these things, he he had a
good career at, RSA and NetWitness. He has some good time
with the the federal governmentfor for stint as the czar. So he
had a lot of exposure to how dowe get a technology like this in
the hands of a lot of people.
Right? You gotta partners.Right? You gotta have the sales,
(37:56):
so you gotta have the branding,and have all that all that kind
of stuff. So they've done anexcellent job with us.
Amit's been at this just as longas we have. When we did Dragon,
we were working with him at hisfirst, cyber company called
RipTech. So, you know, I had alot of confidence in him being
able to, to do this. But, butfor the most part, you know,
when when you have a brandthat's iconic like that, I mean,
you know, while I was there, wewere able to get a DOD site
(38:18):
license, federal government moreor less site license, and, you
know, do things like that allacross the world. You how do you
build up on that?
Well, you gotta do someacquisitions. You gotta maintain
those partnerships, and yougotta you gotta keep doing those
those those kind ofrelationships. So I've been very
happy with what they've beenable to do. But I'm gonna not
pretend like I'm responsible forany of that stuff since I've
left. I made the consciousdecision to very much not hover
(38:41):
and just, you know, be a fan.
Right? Like, some formerfounders wanna hang out on the
board or Twitter or whatever,and I've really tried not to do
that.
Sid Trivedi (38:51):
Well, talking about not hovering, you know, you kind
of have this 14 year reign from2,002 to summer of 2016 as CEO
and cofounder. And then in thesummer of 2016, you hand the
keys over to Amit, and youbecome a board chairman. And
then you do that for another 6months. And by December of 2016,
(39:11):
you also resigned from theboard, if I'm correct, and, you
know, correct me if I'm wrong.And in January, you and Cyndi go
and start this new organizationcalled Gula Tech Adventures.
And the mandate in the earlydays was to focus on early stage
security startups. But could yougive us a sense for what was the
strategy there? Because it wasvery different from we've had
(39:33):
Dimitri on and Dimitri invest instartups, but he's not doing it
through some type of structuredvehicle the way that you and
Cyndi are doing it. So give us asense for why you did that.
Ron Gula (39:42):
So when when we left, you know, we wanted it we wanted
to be active in cyber, and youcan't be active in cyber and
just do policy. You can't beactive in cyber and just do
philanthropy, and you can't beactive in cyber and just do
venture. Right? I mean, peeppeople have careers in all three
of those fields, But when youlook at, like, the whole nation
and some of the complexitiesthat we have to fall, we really
(40:03):
purposely called Google TechAdventures Adventures and not
Ventures. And it's funny.
More than once, I've done aninterview where they said, Ron
Gool, the founder of, you know,Goolatech Ventures, you know,
but it's it's an adventurebecause we think it's all very,
very related. And, we're beingvery purposeful about trying to
balance the you know, all thosedifferent kinds of, of work. Now
(40:25):
there's a lot lot of ways toslice this. I've talked to a lot
of folks who are veryphilanthropic, and they invest a
lot, and you don't even knowtheir names. And they're you
know, but they've got they writebig checks and and that sort of
thing, but they chose to beprivate.
Now you had Dmitri on at yourlast episode. Dimitri's doing
Silverado Poly Excel PolicyAccelerator, very public about
that. He's very private abouthis direct investments and that
(40:46):
sort of thing. He does a lot incyber and outside of cyber. You
know, we've chosen to do certainthings.
My point is there's a lot ofways to go there. We really
found this balance. And, there'sa great interview from some guy
named Ross who basically calledus a cyber impact hub, which I
thought was awesome. I've usedthat a couple times for what
(41:08):
we're doing. But the reality iswe're trying to do a number of
things.
It's just be a resource topeople who make policy, people
be a resource to people who areinventing this because we don't
have enough people to to fightChina and Russia. We don't have
enough people to protectourselves from ourselves. Like,
we're inventing more stuff thatexploits our data and our
privacy than I think theRussians and Chinese do to us on
(41:29):
any given day. So it's, youknow, how do you beat that drum
and and create an ecosystem thatthat is doing that? Of course,
we're not doing it alone either.
We co invest with a lot of greatother funds. We do a lot of
cyber philanthropy with othergreat cyber philanthropists. So
so there's a you know, we'rehappy to be sort of doing our
part.
Ross Haleliuk (41:47):
Gula Tech Adventures is indeed a very
different, organization, partlybecause if I'm not mistaken, up
until now, you have notofficially raised the fund.
Correct? It is your own moneythat you've decided to put to
put in towards the investing.What made you choose that path?
Like, what made you not go out,just raise a fund, and and play
with somebody else's money?
Ron Gula (42:08):
So we thought about it. We thought about it. You
know, we've put a little bitmore than a $100,000,000 to
work, and some of the moneywe've we've recycled. So it's
probably a slightly biggerbigger number than that. But the
reality is when we left Tenable,we were responsible for I think
it was 600, 700 people.
So the first few years of doingthis, Cyndi and I didn't wanna
hire anybody. We've got a greatgreat team right now. It's small
team, but we're gonna try tojust use our time and some
(42:32):
equity to get things done. Andnow we've we're at the point we
need we need some help. But if Itake a dollar from you, Ross,
and I invested, I feel like I'mgonna have to give you a report
on what I'm doing for thatdollar.
And I didn't wanna do that.Right? I'd rather attract people
to invest in the companies thatwe're working with and have them
have the relationship with, withthe companies. And and that's
(42:53):
also something that's a littleuntraditional. Like, most people
in my position will do somethingcalled the special purpose
vehicle, where I'll get apercentage of that.
But now I'm involved in managingthat and and whatnot. And I just
we just didn't wanna do that.Plus, like, I think a lot of
what we have to say is reallyimportant, and they should
listen to us, but we're not theonly voice in the room. So, it's
(43:13):
sometimes a family office isgonna have, just as much to say
as another venture fund. And Iwant the founders to be exposed
to stuff because, I mean, firstthing I realized in this
business is a lot of VCs getreally lucky.
Right? And a lot of times theyou tell somebody, do x, y, and
z. You're gonna do well. It'sprobably the right advice, but
it might not might not happen.Right?
So it's we're trying to be, youknow, part of the ecosystem and
(43:34):
and do our part, like I said.
Ross Haleliuk (43:36):
So Gula Tech Adventures right now has over 50
companies in its portfolio. Whathave you learned since you've
made the first investment? Whatare you now doing differently?
How are you evaluatingcompanies? And if if something
has changed, then what what whatis it?
Ron Gula (43:49):
So what's what's interesting is that you can work
really hard on a company. Firstof all, what does that mean?
Right? If you're a founder,you're probably like, oh, man.
These VCs don't do anything forus.
Right? But But if you look atthe point of view from the VC,
maybe you have 10 companies.Okay. So what do you do for
those 10 companies during your 5days of the week? Or you can do
one introduction per 10companies.
(44:10):
That's actually a lot of work.You got to contact people. Do
you really want to meet thiscompany that has a cyber widget
that does that? It's a littleopportunistic. And so,
basically, what I've learned isI've learned sort of 2 things.
You know, 1, when it comes topitching companies, we wanna
know 5 things. What problem doyou solve? How do you solve it?
Give me some proof. What's yourask?
And what's your vision ofsuccess? And those five things
(44:32):
are hard to answer for 1st timefounders. Like, they're
embarrassed to say, I wanna goIPO. They're embarrassed to say
that if I raise a half a$1,000,000 from you, I'm gonna
make a $1,000,000 in revenuenext year. They they don't they
don't know that.
Right? But what do they know?What do they wanna say? So we
wanna we wanna know those thosekind of things. And then the the
second thing though is that luckhas a lot to do with this
(44:55):
industry, timing, lock, and it'snot a reflection on the founder
though.
We have a lot of former,military founders, former
intelligence community founderswho had stellar careers, stellar
pitch decks, stellar idea. Theygo to market falls flat, and
they think they're a failure.They're not a failure. Right? I
mean, how do you how can youpredict the buying behavior of,
(45:16):
you know, a 100 CISOs in thefederal government, for example,
you know, that that that kind ofthing.
So there is a little bit ofluck, little bit of humility.
And, you know, that's somethingwe just want to impart onto
those folks.
Mahendra Ramsinghani (45:26):
You know, speaking of luck, Ron, and
timing, of course, you know, Irecall a key management company
I had invested. This was keymanagement in the cloud in 2012.
So 10 years ago, everybody wasso intrigued by the idea.
They're like, how can you dothis? This is so cool.
Not a single buyer. And to addsome salt to that wound, some of
(45:51):
the buyers said, this is socool, but do you really think
that I'm gonna hand over my keysto you, your little startup is
gonna do this in the cloud. Sounfortunately, that company was
a loss. We had to shut it down.Another, sort of market timing
story is about homomorphicencryption.
I remember nerding out with thisfounder and he was like, yes, I
could run full homomorphic andwe could run so many operations
(46:13):
on these blobs of data and blah,blah, blah. Andy Bechtulichime
is an investor, and Index wrotea small check. We all got
excited, wrote a small check. 3years later, like, you know,
again, shut the company down. Sothere are so many of these
stories that we find in ourjourney, and I couldn't agree
more about luck, humility,market timing.
(46:34):
I mean, these are things thatare completely outside our
control. You have this view ofworking with founders. I love
the 5 questions that you sort ofpresent to them and force their
thinking into being very preciseand crisp. What advice do you
give them to stay tenacious likeyou have been, to build a
culture like you did at Tenable,and more importantly, not to
(46:57):
lose this essence of being agood human being.
Ron Gula (47:00):
So it's it's different for every founder, this this
concept of, you know, being agood human being, like, what is
the right thing to do? And and,you know, just like many funds,
you know, we had companies thathad to do layoffs, you know,
over the last year or 2 years,and they had to cut to
profitability. That's tough.Right. So I really felt like
some cases board meeting, veryantiseptic.
(47:21):
Hey, this was done. Maybe callthe founder after. Hi. How'd it
go? Right.
Like, are, are you doing okay?Right. You know, where, where
are you at? Right. So a littlebit of that.
Sometimes it's a little bit of,look, you have to do this or you
will be out of business in 6months, and that's that's tough.
Right? Having said that, I'vealso been involved with a lot of
companies who have just had, youknow, great cultures. They've
(47:41):
really nailed it. Some of thefounders I'm working with are
wise beyond their years as faras building a culture and
rapidly, you know, removingpeople who might be a counter to
that culture and and that sortof thing.
But but what I found is, like,my style is not everybody else's
style. So I'm a little hands offwhen I let people run the
companies the way they wanna runthem. It's their companies, you
know, that that kind of thing.But there's a lot of ways you
(48:04):
can do things. But also, youknow, being a CEO today in 2024,
when you look at the worldpolitics, we look at what's
going on in the country, it's alot different than when I was
CEO, right?
There's a number of things yougot to do, you got a lot of
legal things, you got a lot ofpolitical things, you got a
sensitivity things. So I dospend a little bit of time, you
know, making sure people are notoverly focused on things that
(48:27):
aren't aren't counterintuitiveto their business. But at the
same time, you've got to besensitive to all of those kind
of things as well. What I reallylike is when my portfolio comes
to work with each other. So I'vegot a couple OEMs and cross
customers, cross licenses.
That hardly ever happens in theindustry, and I think the fact
that we have any, I'm quitehappy about that. And we also we
do our Gula Tech event partiesand cigar parties and that sort
(48:49):
of thing, and that's alwaysagain, I like that cigars and
bourbon. Some people might notdrink. They might not smoke.
They don't have to come, butit's you get to kinda do things
that you wanna do.
But that's how we kind of bringthat culture kinda back to, to
everybody else.
Sid Trivedi (49:04):
Well, for the last part, you know, as we get come
to the end of this session withyou, Ron, we wanted to talk a
little bit about Ron theinfluencer. And perhaps the
first big question I have is youhave this organization, Gula
Tech Adventures, but alongsideCyndi, you also have Gula Tech
Foundation. And with Gula TechFoundation, you're trying to
(49:27):
support nonprofits, and yourmission is to defend the
nation's cyberspace. Could yougive us a sense for what are the
problems you're trying to solve?How does the foundation even
work?
And what are the types ofinitiatives that you hope the
foundation will support?
Ron Gula (49:42):
So when when we first started Gula Tech Adventures,
you know, we've always beenphilanthropic. We would put we
would do a donation. I I thinkone of the first ones we did was
select Npower. Npower is a greatorganization that just helps
people who can't, you know, getthe education they want in
cyber. I didn't kind of put themthrough a system, helps them
find a job.
Great. But we would list thosethings almost like investments
(50:03):
on the website. We used to havea website with our portfolio
companies and our philanthropy.But what we weren't doing is we
didn't have the bandwidth tojoin the boards of all those,
come in and work with them on adaily basis and stuff. So we
were we really wanted to dosomething that could help them
the most without I mean, with asmall organization without tying
up our time.
(50:23):
So Cyndi's idea was to, youknow, do the foundation and
basically make it a competition.And because what happened is we
get these pitch decks. Peoplejust email. They find us on
LinkedIn. Oh, I want you to lookat this deck.
Well, we'd read the deck, andthis is where we came up with
the 5 slide pitch deck, by theway. We're reading this, and
we're like, we really don'tknow. Is this a nonprofit or is
this a for profit company?Right? Some people's decks
(50:46):
weren't that good.
And then from that, not only dowe get the 5 slide pitch deck,
but we realized the nonprofitsjourney was basically identical
to a startups journey. Butrather than raising a seed a, b,
and c, you know, if you got amaybe a a grant from a
foundation, maybe you could geta grant from Department of
Homeland Security. I don't thinkpeople are aware how much the
(51:07):
federal government gives tononprofits in cyber for, you
know, for example. And maybe ifyou do that, maybe you get even
bigger grant from, like,Microsoft or Google or something
like that. And that's exactlywhat goes on in there.
So we recognize that designpattern and said, we're gonna
just not write checks and nottalk about. We're gonna make it
a competition and make a bigdeal. So we got a a grant
(51:27):
committee, And we also want tobe very purposeful. And so we
did topic to topic to topics. Soone of the topics first topics
we did was increasing AfricanAmerican engagement in in
cybersecurity.
So nonprofits out there that,that focused on that sort of
thing. And we've done about 7 ofthese grants. We didn't do a
grant this year. We're veryfocused on just we're we're
(51:48):
kinda retooling a little bit.We're gonna probably make some
announcements down the road.
But the grant structure wasreally good. Almost everybody
that received a grant from uswent on to get a bigger grant
from somebody else, much like inthe venture capital world. So
I'm very happy about that. Welist everything at if you go to
gula.tech, gula.tech, go to thefoundation page, they're all
listed there. Sometimes we'vedone videos with these these
(52:11):
organizations to get a sense ofwhat they are.
My last plug for people, look,in cyber, there's a lot of
people who have the impostersyndrome. I don't know why that
is, because I think everybody Imeet is really, really good.
But, man, you wanna feel likeyou're giving back, volunteer at
a nonprofit. It doesn'tnecessarily even have to be a
cyber nonprofit. Go to yourlocal hospital, go to your go to
(52:31):
your town and just see what youcan do.
And believe me, you can do alot. The nation needs everybody
in cyber to do, you know, dotheir
Ross Haleliuk (52:39):
part. Talking about different ways of
influencing the industry. Overthe past several years, I've
built venture insecurity. Andlast year, it has achieved over
500 1,000 reads, which is, it'sit's a lot for a blog. And,
frankly, I know how hard it isto create consistently valuable
content.
Given that your YouTube channel,as of right now, has over
(52:59):
100,000 subscribers, whatmotivated you to start creating
a content? How much time do youallocate to do it? What does the
process, for you look like?
Ron Gula (53:08):
So it's it's interesting. When we first
started the the YouTube channel,I it was I was going more for,
like, a Joe Rogan type of thing.I put a lot of effort into being
able to sit down with goodquality microphones in person,
and then COVID happened. Right?So I literally, I mean, we do
this out of our out of our home.
I'm having strangers well, notstrangers, but you know what I
(53:29):
mean. People come in the houseand sit there and do the
interview. And, you know, we dosome and and we were able to
score some really interestinginterviews back then, like the
the cast of the reboot ofMacGyver and and stuff like
that. But, you know, getting afollowing I mean, Ross, you're
very gracious to bring bringthat up, but it's no small task.
Like, you've gotta be on top ofthe content and the the SEO and
(53:50):
and just do things in the rightright things.
But for us, when we switchedfrom doing the live interviews
to more just me talking about atopic with some fancy graphics
or something like that, thatseemed to really resonate with a
lot of people, so I've doubleddown on that. We've been doing,
like, 1 episode a week. We're upto, like, 250 episodes. And, you
know, I think the fancy graphicshelp, but that's a gimmick. It's
(54:12):
I think the content is reallywhat sells.
The other thing is that it's notjust cyber. Like, we focus on
start up messaging. So, youknow, we'll do how to name your
company, but we'll also do,like, obtuse con topics like,
you know, what when should youdefer salary if you're having
payroll, you know, if you'rehaving cash flow issues. Right?
And that's a tough thing to talkabout.
But but that got that seemed toresonate with a lot of people.
(54:35):
So we're quite happy with thatthat following, and we're gonna
keep putting some more effortinto it. I, I really like every
everybody says they know AI. Somy excuse for spending time with
the graphics is everything I dohas some sort of AI technology
behind it. So I feel like I'mworking with with AI.
If you've seen some of thevideos where the characters just
talk to each other, 100% AIgenerated. Didn't move a key
(54:58):
frame or anything like that forthat stuff. So it's crazy how
far that technology comes.
Mahendra Ramsinghani (55:03):
So Ron, here you are, 3 decades of
innovation, entrepreneurship.Now you're giving back to the
community with a very big heart.So look at the first phase of
cybersecurity. It's aboutdemonstrating your intellect,
demonstrating your ego,demonstrating your skill. And
now you're here demonstrating abig heart in your philanthropy
(55:26):
and, the work you're doing withyour videos, which, by the way,
are so cool.
In fact, I particularly enjoyedthe one where you talk about how
a booth can be designed so thatit attracts the right kind of
traffic in a show like RSA. It'ssuch a simple topic, but nobody
has done that. So thank you forcontinuing to keep your creative
juices alive and continuing toinnovate yourself. I think for a
(55:49):
lot of us, you will be the JoeRogan of cybersecurity, or you
might be the top gun, you know,Air Force pilot for
cybersecurity. But as we look atyour next phase of your journey,
how do you continue to challengeyourself?
How do you think about what thenext 5, 10 years of Cyndi and
Ron Gula would look like?
Ron Gula (56:09):
Thank you for those comments. I mean, we put a lot
of effort into the investing,the philanthropy, and getting
that out. So I appreciate thosecomments. You know, I I think if
anything, anybody's gonna try topredict the next 5 years is it's
tough. I think we've got a goodview of things because we get
pitched a lot of stuff.
So there's a couple couplethings. So like, we spend a lot
of time with policymakers, andeverybody wants to know how can
(56:30):
we get the DOD more secure? Howcan we get the nation more
secure? And I mean, we've seenso many different things. Our
answer there is we want we wantpeople to think of, you know, IT
and and data, like health care,and just call it data care.
And I was literally like, I'm anadvisor for the Military Cyber
Professionals Association. Andwe had a I I don't wanna go into
a whole lot, but the commentwas, look. Even though this is
(56:51):
the military, you know, some ofthis stuff is carrying feeding
you the data, and it it's kindawe need to make the people who
are are patching the systemsfeel like they're just as
important as the people who arehacking Iran and and, China and
Russia. So in unless until wehave that mindset, you know,
where we can get cyber people tobe just as well respected as a
doctor or a lawyer, you know, Ithink we're gonna have a a hard
(57:12):
time there. And the second thingwe're tracking is AI.
And, I mean, I think there's alot of opportunities for
productivity and for thebetterment of humanity, you
know, with AI in general. Butthere's a lot of opportunities
for things to happen where, youknow, only certain companies
control the AI and, you know,they get to see what we're
(57:32):
asking kinda like what happensnow when we query Google and and
stuff like that. And that thatcan really, really hurt society,
especially if things go a littlebit more draconian than than
they have been, you know, in thepast. So we're tracking a lot of
that stuff. You know, there'sdisinformation is such a big
problem right now.
I'm actually working on a videowhere I have somebody from the
(57:54):
future come back to RSA, andthey have a conversation about
how they they, do things. Andthey literally say, well, you
know, we really don't know muchabout IT security from the 2000
because of the AI anddisinformation wars. Right? And
it's, so you you never knowwhat's gonna happen. Right?
But that's really what we'relooking at. We're blessed. We we
do a lot of really fun things,and we get to go to a lot of fun
(58:17):
places, but we're prettyfocused. I I mean, every year I
go to RSA, and I'm like, this ismy last RSA. I'm never going
back.
And then I leave, and I go, ohmy god. That was so much better
than what I thought it was. I'llcome back next year. And, you
know, it's it's important thework everybody's doing.
Sid Trivedi (58:31):
Well, thank you so much, Ron, for being so generous
today with your time talkingabout pre Tenable, the early
years, the formative years,starting 2 companies, then
starting Tenable, then yourinvesting background, all of the
work you're doing today toinfluence the industry. For our
listeners, what's the best wayto connect with Ron, hear more
about Ron? Should they justsearch Goolatech Adventures, or
(58:54):
is there a specific channel oror way you want folks to
subscribe to you?
Ron Gula (58:58):
LinkedIn's the easiest way. So I'm Ron Gula on
LinkedIn. You know, I got mystart in computers from my dad.
My dad's also Ron Gula, and hehas a LinkedIn account. So if
you see a guy without a picturethat doesn't have gray that has
gray hair more than mine, that'snot me.
That's my dad. But having saidthat, LinkedIn's fine. You know,
if you come to the YouTubechannel, check it out. You know,
what what I'm always looking foris if people have questions.
(59:20):
Like, I usually get people, hey.
Can I come pick your brain? I'mlike, that's one of my most
annoying ask because I do wannasay yes. But I'm like, chances
are the questions you have, I'vealready watched. I've already
done a video on. So my feelingis if I haven't answered
somebody's question, send methat question.
I'll make a video, and, we canwe can talk about it. So, that's
the best way to get ahold of us.
Sid Trivedi (59:40):
Thanks so much, Ron. Thank you.
Mahendra Ramsinghani (59:41):
Thank you Ron.
Ron Gula (59:43):
Hey. Thanks for the opportunity, and, good luck with
your launch, guys. It's, it'sit's gonna be great. You've got
some great guests coming up.
Sid Trivedi (59:51):
Thank you for joining us Inside the Network.
Ross Haleliuk (59:54):
If you like this episode, please leave us a
review and share it with others.
Mahendra Ramsinghani (59:59):
If you really, really liked it and you
have some feedback for us, wrapit on a bottle of Yamazaki and
send it to me first.
Sid Trivedi (01:00:09):
No. Don't do that. Mahendra gets too many gifts
already. Please reach out byemail or LinkedIn.
Welcome to Inside the Network. I'm Sid Trivedi.
Ross Haleliuk (00:08):
I am Ross Haleliuk.
Mahendra Ramsinghani (00:10):
And I am Mahendra Ramsinghani.
We have spent decades building,investing, and researching
cybersecurity companies.
Sid Trivedi (00:19):
On this podcast, we invite you to join us inside the
network, where we bring the bestfounders, operators, and
investors, building the futureof cyber.
Ross Haleliuk (00:31):
We will talk about the hard parts of the
founder journey. Launchingcompanies, getting to product
market fit, raising capital, andscaling to an exit.
Mahendra Ramsinghani (00:42):
And, yes, we will also be talking about
epic failures.
Sid Trivedi (00:46):
But, Mahendra, we're here to make the founder
journey easier.
Mahendra Ramsinghani (00:49):
That is correct, Sid. But we cannot make
it too much easier becausestartups are hard. And, of
course, you already knew that.
Ross Haleliuk (00:57):
Alright, you too. Enough. Let's get started with
this week's episode.
Welcome, Ron, to inside thenetwork. Before we go into the
episode, we just got out of RSA.It was an exciting conference.
There were over 50,000attendees, and it was great to
see you there too.
What were your key learnings?What did you see?
Ron Gula (01:19):
I think the biggest thing I saw was the excellent
use of artificial intelligence.People who were doing AI for
security talked about it likethat. There was no high level,
superfluous marketing there, andI still can call it the RSAI
conference because AI is gonnaeat the cyber industry. So that
was some of my feedback there.
Ross Haleliuk (01:39):
Yeah. So for me, I haven't really spent all that
much time on the floor. In theout in the, you know, minutes,
or tens of minutes, I did, goaround. The one thing that stood
out was, I don't remember whichvendor specifically was this.
And I genuinely don't remember.
Not only I do don't want to callthem out, but I don't remember
the actual vendor. What wasinteresting to see, there was a
(02:03):
company that had, that didn'thave a booth, so it had an empty
space. And it just had a signredirecting people to another
booth, essentially saying that,hey. This vendor was acquired by
this other big company. Pleasego to that other big company and
talk to them.
To me, that was that was themost insane marketing decision,
(02:23):
insane marketing choice. Youessentially had like, it doesn't
matter who you are as a vendor.What matters is that you got a
space which you can fill howeveryou want, and that is how you
decided to go about it. So tome, that that was the most
insane part. The mostinteresting and the most
unexpected was probably the factthat there were quite a few,
well, there were few, there werenot enough companies tackling AI
(02:49):
for security or security for AI,but specifically AI for
security.
I believe it was only Protect AIand maybe 1 or 2 other vendors
that were in that space, andeverybody else did not really
have a large presence or anypresence at the floor. That was
that was surprising, and thenthere was also probably 1 or 2
vendors in the AI SOC space or,you know, AI engineer, for a
(03:13):
SOC, and the rest are stillprobably in stealth. So that was
surprising and unexpected.
Sid Trivedi (03:18):
For me, I think the most surprising thing was just
seeing Keanu Reeves in an actualmarketing commercial for a
cybersecurity company. Right?That it was just it was it was
unexpected. You know, we've seenover the years, we've had a
whole bunch of high qualityathletes, actors, you know,
titans of industry go andpromote cybersecurity, but that
(03:42):
it was it was very unexpected.In terms of, what I didn't
expect, I think the number ofnations that had not just boots,
but a large presence, whetherthat's the United States.
I mean, the secretary of stateTony Blinken came and did a
keynote, which was amazing justgiven the fact that just days
(04:04):
before he was in Israel tryingto negotiate a ceasefire. And
then he ended up going toUkraine right after this. So he
ended up spending his Mondaycoming in doing a keynote at
RSA, a cybersecurity conferencein the middle of 2 very, very
large conflicts that arehappening globally. I think it
gave us a sense of how much, notjust the United States, but you
(04:26):
also had presence from Germany,presence from, you know, Israel
and other countries who who arephysically there in the expo
halls but also in sessions. Justhow much different nations care
about cybersecurity.
We got to see it in full force.That was that was different.
Mahendra?
Mahendra Ramsinghani (04:46):
No, that's a very interesting point, Sid,
about how the role of governmentis becoming more and more front
and center, not just inWashington DC where policy
papers are being churned out,but actually being a part of the
floor, being a part of theconference, coming and speaking
at these events. And so, Icouldn't agree more that the
(05:08):
role of government is becomingmore and more amplified. You
know, for me, the parts thatwere interesting, to Ross's
point, the company is gettingacquired where a booth is empty.
I spoke with several VCs whowere talking about companies
getting offers. So one companythat is about 5 to 6 million in
(05:33):
revenues has a $800 millionoffer at the table, acquisition
offer.
And I was asking the CEO,Hallelujah, why did you take it?
And the CEO says, Well, becauseI have a VC giving me
$200 million at a $1 billionvaluation. So as much as all the
doom and gloom that we hearabout companies sort of, you
know, not being able to raisemoney, here are some outliers
(05:55):
that I heard.
Another interesting data point II heard was I talked to a bunch
of CISOs asking their views onAI. And consistently, most of
the CISOs said 99.9% of whateverthis AI snake oil is bullshit,
literally. And so, so I justsort of like say, hey, wait a
(06:16):
sec, but those are my companies.Those are investors who are all
excited about AI. And this userwould be like, yeah, yeah, yeah,
your excitement becomes my prop.
Sid Trivedi (06:26):
Too much too much fun.
Well, Ron, let's go a little bitinto kind of a few different
parts of your life, and we'regonna start with a little bit of
information on what you weredoing before Tenable. Of course,
we'll talk about the Tenablestory and all the learnings you
have had. We'll talk a littlebit about after Tenable, both in
(06:47):
terms of your investing career,which is now quite long, as well
as a little bit about whatyou're doing to try to influence
the industry, both through yourfoundation work and and other
work you've done. But let'sstart with your background and
your childhood.
Tell us a little bit about Ronbefore Tenable. Everyone talks
about Ron, you know, this veryfamous founder of Tenable and
(07:09):
CEO for 15 years, but very fewfolks have really understood
your background and where youcame from.
Ron Gula (07:15):
I appreciate the opportunity to share that
because I think everybody incybersecurity should think about
what they're doing as equalimportance as we try to
professionalize our industry.But I was fortunate enough to
grow up. My mom and dad lived upin Syracuse, New York, grew up
in upstate New York, went toClarkson University. 1 of my
roommates was, Marty Roesch, theguy that that did Sourcefire.
(07:36):
Right?
So we were good friends back inthe day, and and, he's doing his
own thing at Netography now. Butfrom Clarkson, I joined the Air
Force. I wanted to be a fighterpilot. I actually got into
fighter pilot flight school.There's a flight school where
you can go to instead of havingto be the 1st in your class to
get an f 16 or an f 22.
You would have to be anybody inthis class and you can get
(07:56):
something. But it turns out Ipulled a little bit of g's and
it didn't really work out toowell for me. So I got out of
that and got into my first love,which was always computers. And
from there, I end up working ona tour at the National Security
Agency where I was doingpenetration testing in the
nineties. And nobody called itCyberback then.
It was information operations,CNO, CNA, computer network
(08:17):
defense, all that kind of goodstuff. But I got to be involved
with some national exercises,something called eligible
receiver, which you can Googleand find a few things, but was
kind of a cool test that was wasinteresting. I was involved with
that a good bit, and, theplanning side. And, I got out,
worked for a, it's a bad term,but a Beltway contractor, BBN.
You know, the people whoinvented the Internet, I got to
(08:39):
meet the guy that did the atsign and and stuff like that.
Got to learn how to dogovernment procurement. But from
there, I really started workingat startups. I joined a company
called US Inter Networking, wassort of like a cloud one o
company. And they were doingthings like buying PeopleSoft
and exchange licenses andselling them to multiple
customers. Nobody heard of SaaSback in the day.
So I got to understand newlicensing and selling new
(09:02):
licensing with new models andwhatnot. But while I was there,
I was running intrusiondetection, so called risk
mitigation. I wasn't the CISO. Iwas the guy doing the pen
testing and keeping hackers out.And, I had the idea to to write
Dragon.
And I came home one day, talkedto my wife, Cyndi, and said, I I
need you to figure out the thebusiness side of things. I'm
gonna figure out how to write aproduct and sell it. And within
(09:24):
18 months, we had sold thatproduct for, just couple double
digits. We had massivedeployments to DOD, Citibank,
AOL, that kind of stuff. And,the people that bought us were
from Interisys, Jack Hufford,And we ended up going on to
start a 10able network security.
So that's a fun story. I lovetelling it. And, you know,
everything we did was kind ofbuilding upon what we did in the
(09:46):
past. And I'm just trying togive back now.
Ross Haleliuk (09:49):
Very interesting. Ron, you started doing
information security well beforeit was called cyber. And it's
interesting to me, what wassecurity like at that time? How
many people worked in theindustry? What was the industry
like?
Where did you meet others? Didyou indeed congregate as a
community, or was it still allvery, disconnected?
Ron Gula (10:09):
So there was a lot of interesting overlap. So, you
know, working at the NSA,working as a pen tester, the
world went through a number ofchanges. Right? We used to hoard
exploits. So if you were on thescene in the nineties, you know,
0 days, you would trade them.
And I still remember trading 0days with various people, and
(10:29):
then something changed in thelate nineties, early 2000. All
of a sudden, it became the coolthing to publish and get credit
for that. So that was a reallybig deal. There was always
collaboration. Like, I mean,Gene Spafford, Matt Bishop, a
lot of these gray beards, theywould come by, you know, the
NSA.
We'd see these people, you know,at RSA. We we would talk to
(10:50):
them, and there's a lot ofcollaboration there. But cyber
wasn't really cyber untilpeople's websites started
getting hacked and peoplestarted, you know, stealing
money from banks and and thatsort of thing, and then the
whole industry just kind of kindof exploded. And if you didn't
kinda grow up in the industry,it's people on the outside who
it's become so insular that ifyou didn't grow up in the
(11:12):
industry, it's really hard toget into the industry. I'm sure
we'll talk about that a goodbit.
Because we speak so manydifferent languages, and then we
have so many things that we doin cyber that just turn non
cyber people off, whether it'sthe language of talking about
hunting the Russians or theChinese on the network. Right?
Which can be a little too overlymilitaristic and maybe turn off,
you know, certain parts of thedemographic and stuff, or just
(11:34):
the the jargon that we do. It'sit's not very inviting to, to
people who want to makedecisions about important things
about where their data is going.So so that's the biggest things
I've seen change over the lastprobably 15, 20 years is just
the popularity of cybersecurityand the continued lack of
understanding of what it doesbecause the technology just
changes so fast.
Sid Trivedi (11:55):
And just, you know, following up on that, Ron, this
question that Ross asked abouthow the cyber community was so
early when you got started, didyou think that you wanted to go
into cyber? Was cyber even a acategory that you define? You
talked about your Air Forcedays. I've read that you wanted
to be a pilot, and and thatwould have been kind of partly
(12:16):
your dream. So how did you kindof fall into to cyber?
Ron Gula (12:19):
Yeah. I I think I'm gonna coin something new. I I
don't think I've said on otherother shows, which is not only
my failed fighter pilot, but butthe basic plan was to to go to
fighter pilot school and getinvolved with, like, the UFO
program. And, so when I startedworking at the NSA, people were
like, oh, are you working withwith the UFOs? Like, no.
I'm not working with that. Of ofcourse, you are. Right? So so
(12:40):
that that you know, I reallywanted to do that sort of stuff.
And one of the reasons that gotme into cyber is I was reading,
you know, the online UFOstories, that sort of thing.
And, I'm not gonna say I wasreading them on YouTube that was
more like a bulletin board. Youhad to get with a modem or
something like that right backin the day. But right next to
those UFO stories was frack.Right next to that, was a ATLGM.
(13:03):
So I was able to to go from thatto, oh, there's a lot of really,
really good things to teachyourself about that.
So that's that's how I kinda gotgot into it. I think a lot of
people back in the day got intoit because it was this sort of
edgy, are you a hacker? Are youan information security
researcher? Regardless, you hadto spend a lot of time teaching
yourself about how how does SNMPwork? How does Ethernet work?
(13:25):
How does how does, you know,these various protocols work?
Mahendra Ramsinghani (13:29):
You know, one of the refreshing parts
about you, Ron, is how you andCyndi together have played this
role in cybersecurity. The 2 ofyou are both investing, doing
good work at the foundation.Even at RSA, you're sort of such
a well integrated couple, bothin your personal lives as well
as your work lives. Incybersecurity, we rarely see
(13:50):
this. In fact, the only otherperson I can think of is Caleb
Sima.
You know, he invited his mom toa talk he gave on AI. And, you
know, the audience just loved itthat he had brought his mom. And
I saw his pictures, he broughthis kids to RSA. So share with
us how we as human beings andindividuals can learn from some
(14:12):
of the things you're doing here.
Ron Gula (14:13):
So it's it's interesting. I didn't set out to
do, this is the 3rd company I'vedone with Cyndi now. And it's
not everybody comes out to usand says, oh my gosh, it's so
good, so unique. And and it's,it's so nice to see, you know, a
loving couple out there do dowork. But the reality is you can
work I I just we were justspeaking at a military
conference called HammerCon.
(14:33):
And we said, look. This issomething you can't do. Like,
you cannot command an aircraftcarrier, and your spouse cannot
be in charge of the, f 18squatter. Right? It's just it's
just not something.
Can't do that in government. Alot of big corporations, you
can't do that. But but if youstart your own company, you can
do whatever you want. And itreally, really worked out that,
(14:54):
when you take a risk to start acompany, you know, your spouse
is taking that risk too. And Ithink I think sometimes people
start companies, and maybe theother spouse is working and it
gives you this kind of a acushion and there's nothing
wrong with that.
But at the time, Cyndi and Iwere were both sort of thinking,
hey, let's go all in on this andwork on it together. And it it
worked out. Then maybe there'sanother universe where it didn't
(15:16):
work out, but but it worked outin this universe. And not only
do we do it once, but we did itagain with Tenable. And in that
story, you know, Cyndi was verygracious, very much backroom,
not front and center.
And you because again, we got alittle bit of negative
connotations with the husbandwife sort of, mom and pop shop
would be the the negative termthere. But now with Gula Tech
(15:39):
Adventures, we speak together alot. She's keynoted on her own.
She's on the boards ofcompanies, you know, and and we
work on a lot of stuff at GoogleTech Adventures as a team. So
that's, you know, some veryexcited about that.
And, you know, not just for, youknow, trying to represent a nice
good marriage and and how to doteamwork and stuff. But it
really helps us when we talk toother companies, even if the
(16:01):
founders aren't married. Right?Or just maybe it's a father and
son. Right?
Or maybe just 2 people fromcollege. You have to answer
questions like how do you makedecisions? How do you resolve
conflict? What are your goals?And, work on those
communications.
So that's really like themessages that we have to say is
like, it just really refined.What are your goals? How do you
communicate? And what are therisks that you're taking?
Mahendra Ramsinghani (16:22):
And you know, the most important part
here, Ron, is that when Cyndisteps up you know, at RSA, we
don't see this balance ofgender, balance of diversity. So
we're very, very grateful thatboth of you do this together. It
also gives opportunity to a lotof other female founders, and
more importantly, female CISOs,who sometimes feel like they may
(16:43):
not necessarily have a voice inthe room or they may feel not as
empowered. So thank you. I knowCyndi is not with us today, but
please extend our gratitude toher.
Ron Gula (16:52):
I will. I will. And we do get that. It's funny because
we do get the opportunity tospeak on a lot of different
things. We've done a lot ofdifferent donations through our
our foundation, a lot ofdifferent competitions.
And we're not experts in thethings that we've tried to
support even though we know thatthey're there. So one of the
ones we did was benefited, youknow, just increasing cyber
awareness at the, boardroomlevel. And, you know, the group
(17:15):
that won it ended up getting,almost a 1000 women trained in
the, qualified technical expertis the standard. I was pretty
excited about that because thatreally increases diversity,
really increases not justdiversity of of the sexes and
and and so but actual diversityof thought. And and that's
really where I think the nationreally benefits.
(17:36):
Like, I like, don't get mewrong. I'm I'm quite happy that
we have a diverse group ofpeople and stuff, but I like
diversity of thought andapproaches so much more. And the
comment I usually make aboutSynchronyze, I think one of the
reasons we work well togetherfor both engineers. We're more
worried about having the correctsolution than being perceived as
having the right solution. Soit's it's pretty good.
(17:59):
And I think one of the thingsthat stories out there, if you
ever watch Ozarks, you know, thelead character, he'll it'll be a
very stressful situation, andsomebody will say something.
He'll be like, that's nothelpful. That's very much how
how we look things like, what ishelpful, what gets us the right
things, and how do youcommunicate about that?
Ross Haleliuk (18:15):
Interesting. One of the things you've just
mentioned, was about the risksof starting companies. And I'm
very curious because today, itfeels as if the whole idea of
entrepreneurship has, to acertain degree, been derisked.
Right? There has been a lot ofeducation around starting
companies.
There is a fairly mature ventureand investor ecosystem. What was
it like when you were startingyour first business?
Ron Gula (18:37):
So it's interesting. You know, coming out of the NSA,
coming out of the air force, youdon't really get a whole lot of
here's how to transition tocivilian. Here's how to
transition to start a company.Nowadays, you do. The the
military has great programs ontransitioning, you know,
veterans in the private sectorand and on but back in the day,
it was very much, oh, go go workat a Beltway band.
(18:57):
It get picked up by by somebodythere. You'll have a you'll have
a good career. You're anengineer, that kind of thing.
There wasn't anybody tapping onyour shoulder that says, look.
If you got a couple ideas, youcan get some coders and and
start a company.
So literally, I I would go tosome economic development, some
it was basically meetings withbusinesses, and I'm sitting next
to people who have, like,cupcake shops. Right? And I'm
good. They're working hard.They're working just as hard as
(19:18):
we are, but it's a different setof stuff when you're doing
cyber.
So what we did in the latenineties, early 2000, we kinda
did on our own. Right? We neverreally talked to venture capital
people. We never really had whatI would consider professional go
to market training. We neverreally had any of that stuff.
And, we did quite well. Andpeople are astounded that we,
you know, brought a company tomarket and sold it to the
(19:41):
federal government, sold it tothe intelligence community, sold
it to major banks, and gotacquired. We have multiple
offers for what we did. So nowwhen we do investing, like, one
of my biggest questions is,like, what's your risk here?
Like, why you don't need toraise money to, like, build a
nuclear reactor.
Right? You you need to sell somestuff. Usually, the founders
selling stuff. And I guess wehave a lot more higher
expectations of startupcompanies. And we're also very,
(20:03):
very aware that when you start acompany, one of the biggest
risks if you're successful issomebody like come along and
make you an offer that you willtake.
Right? Well, you're you're 18months into it, and here comes
Cisco and they buy you. Thatthat happens quite a quite a
bit. So we understand thatfounder's journey a whole lot,
but at the same time, we just weknow a lot of founders. It just
the the team didn't work and,you know, a lot of businesses
(20:25):
don't make it past that 1st yearor 2 years, or they they get
into that zombie state wherethey're making services and it's
business, but it's not a productbusiness, that sort of stuff.
Sid Trivedi (20:39):
Well, we bounced around the idea of Tenable a few
times already. So let's go intoit in a little bit more detail.
In late 2002, you get startedwith this new company, and that
company in the early days isfocused on vulnerability
assessment and management andends up going and creating this
new category, which is calledcyber exposure management today.
But in those very formativeyears, how did you pick Jack
(21:04):
Hufford and Renaud Deraison towork together to go and start
Tenable? And how were you evendividing up responsibilities?
Was it that you were CEO andsomebody was CTO and someone was
CPO? Or were you kind of workingtogether? How did you make that
decision?
Ron Gula (21:19):
Yeah. I I love telling the story because everybody
really needs a great set offounders and a great team. And,
you know, the way I talk aboutit is I had I had Cyndi, I had
Jack, I had Renaud. They allworked extremely well together,
and and it was a reallyinteresting story. Right?
So Jack knew Cyndi and I. He haddone the diligence on acquiring
network security wizards for forInterisys. So he knew how well
(21:42):
Cyndi ran the books, ran theoperations, ran the board
meetings, ran all that kind ofstuff. And of all the companies
they acquired, they said ourswas the easiest, not because we
were the the smallest, but itwas the most well organized. It
just kind of made sense,engineers running all that that
kind of stuff.
So Cyndi and Jack really did alot of the initial, how does the
company work? How do we dopayroll? How do we get an
(22:03):
office? How do we do all thatthat kind of stuff? Renault and
I did a lot of the originalcoding.
I had the CTO. I was probablyone of the few founders, had the
CEO and CTO style. Renault isvery public right now, but in
their early days, Renault wasnot as public. So I would
introduce myself as CEO, CTO.And it's actually something I'll
I'll criticize myself forbecause I actually will call
that out.
And, you know, if you're afounder and you're the CEO,
(22:24):
great. If you're technical,that's that's great too. But but
I got lucky. I mean, every oneof those people smarter than I
am in their areas, and I canspeak their language. So I could
still p speak code, speakarchitecture.
The thing that I think I broughtto Renault and and Jack and
Cyndi was having been a pentester, having been, you know,
an operator, I can put myself inthe operator shoes, and I'm
(22:45):
speaking the customer'slanguage, everybody else's way.
But the reality isdisagreements. But we really
agreed on a lot of things. Imean, and we went 15 years or so
became super, super successful,we really, really worked well
together. And, you know, Idefinitely miss working with
those folks every day, but theculture that we put together is
(23:05):
really kinda I think a meet yourend is doing a great, great job.
But a lot of times when I hearpeople who are working at
Tenable, first thing they sayis, love working here. Love that
culture. It's very enduring.That's kind of that gestation.
Oh, there's one other story.
You never know how you're gonnado it. But when I was doing
Dragon, we had worked withRenault on taking Ness's
vulnerability scans and mappingthem to attacks. Because one of
(23:29):
the things you would do withnetwork intrusion detection is
you could see an attack going toa Linux computer, But if that
computer, in fact, was a Windowscomputer, maybe you could ignore
that attack. So having done thattype of correlation with
Renault, we were like, we knewabout Nessus. We knew we knew
Renault.
We we thought it'd be really,really good to, to have that as
part of the Tenable platform.
Sid Trivedi (23:50):
You talked a little bit about dividing up
responsibilities. I'm curiouswhile you can work together as a
team when you have so many folksin those formative years, who
made the executive decision whenthere were these arguments
between yourself, Jack, Renault,and Cyndi, who was the person
who would say, well, this is theway we're gonna go after a
debate?
Ron Gula (24:08):
Well, I mean, I was I was CEO, so I got to make a lot
of those decisions, but itwasn't like my way or the
highway every day. You don't go16 years making a unilateral
decision, you know, all the timelike that. So I wouldn't I've
just I almost feel a littleuncomfortable talking about it
like that. But at least wetalked about it quite a bit.
Right?
And there were a lot of thingsthat when you really start to
(24:28):
like, I'll give you a goodexample. When we do like, okay,
we're going to change theinternal framework architecture
of Nessus. Great. Are we goingto suffer some customer
features, maybe for a quarter or2, but we're going to then do
it. So like, so Cyndi and Jackwould have a tremendous amount
of of trust of, like, Renaud andI when we made something like
that.
Another thing that we did is weswitched today in 2024. I mean,
(24:51):
everybody sells things.Everything's ARR. Everything's
SaaS. Right?
But back in the the latenineties, you sold thing
perpetual, and you sold aseparate maintenance discussion.
Right? Well, flipping from thatto SaaS was tough. And Bruno,
believe it or not, had a lot ofempathy for the customers. And,
you know, sometimes it was muchmore on the side of, oh, no.
(25:12):
We can't, you know, we can't letthe customer down and and that
sort of thing. And then there'syou know? So the it's it's a
really interesting, you know,discussion at that point. But
I'll just tell you that thediscussions we had were very
healthy, very well respectful,and it was it was good. Now the
hard part though was when Cyndiand I were on different pages.
Right? Because when Cundi and Iwere on different pages, it's
(25:32):
sort of like, hey, mom and dadare fighting. Right? And it's
like, no. No.
We're engineers talking about,you know, these situations and
and that sort of like and werecognize it does put people in
a, an awkward comp you know, anawkward position. But, you know,
you don't you don't hide thefact. Right? I mean, it's,
voluntary related is how we liketo to talk about it.
Ross Haleliuk (25:52):
Ron, Nexus was originally built as an open
source solution forvulnerability scanning. And then
in 2005, it became a proprietarysoftware. Since you've just you
were just talking aboutsubscriptions, what was the
journey of monetizing opensource nearly 2 decades ago?
Like, how did you navigate it?Like, what was hard about it?
Ron Gula (26:10):
Yeah. So when when we went through that, that was
something that if people said,like, what was something you did
well that was really risky? Thatwas something we did really,
really well because we were ableto communicate the change to
people and communicate why wedid it and, you know, give
people alternatives like the,you know, we basically the fork
(26:31):
was out there. Right? So itwasn't like we we were taking it
away from people.
Right? We it it was still outthere. But the reality is like,
everybody thinks of open sourceas free and written by a
community. Well, today, if Isaid open source, the vast
majority of people will focus onfree, and they don't really
focus on community. NASA's workwas tenable.
(26:55):
And we literally we had likehundreds of engineers writing
code, And it was this is notsustainable. Like, this is not a
sustainable, you know, sort oflong term thing. So we wanted to
change that to make a betterproduct for people because we
saw all of these vulnerabilitiescoming and stuff like that. And
also back in the day, we wereactually also penalized for open
(27:15):
source. We would go into dealswhere it would be like, if it's
a half a $1,000,000 deal and anda bank would be like, you need
to buy, like, half $1,000,000 ofof indemnification insurance
because someday somebody mightsue you and then sue us because
of, because of your your sourcecode that you're using.
So so we were we wereincentivized by the market to
kinda go this way, you know,which is a really interesting
(27:38):
thing because nowadays, almosteverybody's everybody's SaaS
offering has some open sourcecode on the back end, but people
don't know it or see it becauseit's behind a mobile app or
behind a web. And, you know,there's plenty of that stuff
that stuff floating around outthere. But, but, yeah, that was
the biggest the the biggestthing I'm proud about with that
is that we communicated itreally well. We had some really
(27:59):
good advisers on how tocommunicate that and put that
out, and it was, no no regretsthere at all.
Mahendra Ramsinghani (28:07):
So, Ron, let's shift gears a little bit
into the venture capital side ofthe journey at Tenable. So,
Tenable raised a $50,000,000Series A a after almost 10 years
of operations. 1st, talk to usabout what that 10 years was
like. You completely bypassedbypassed the classical formula
that most founders use, whichis, I first need money to build
(28:30):
something. And here you aresaying, We're going to build it.
And not only build it, we'llkeep building it for 10 years. I
mean, talk to us about thatphase of the journey. How did
you do it? What were someinternal debates with Cyndi,
with Renault, with Jack, all theups and downs?
Ron Gula (28:45):
So the stories I like to tell about that time are for
founders who are going throughthe struggle right now. So when
we started Tenable, we werefortunate to, you know, come off
of an exit within tariffs. Wehad a little bit of money. We
were not couple less zeroes thanwhat we're dealing with, today,
so to speak. But we were able tofloat a payroll check here and
there.
And so when we talk to foundersabout going it and going through
(29:07):
tough times and deferring salaryand that sort of thing is it's
really because we've we've livedit. And what that allowed us to
do is get to a point whereTenable was basically cash flow
positive. And and at that timewe did that raise, we had
$50,000,000 in the bank. Sopeople ask, well, why did you
raise? And it was for a couplecouple of reasons.
(29:30):
So so one, you know, you reallycan't go public with somebody
who owns a 100% of the stock. Idon't know a 100% of the stock,
right? But I had a good bit ofit, right? It's a lot more than
most founders. Like theemployees and the founders of
Tenable, we owned that company.
There were no investor that hadlike a 3rd or 45%. Right? So we
(29:51):
were not diluted at all by bythat. But at the same time, that
can get you an acquisition, youknow, which is good. And again,
that's a good goal, not wrong.
But if you're looking to gobigger, you're not gonna go
public with that. Right? So thestory then is secondary sales.
And this gets really obtusereally quick, but the reality is
is all those raises we didbenefited the employees and the
(30:13):
founders in such a way that theywere basically pocketing money,
you know, and then going back towork the next day. And we had
multiple moments when we didthat raise where, like, we pull
people into a room, and we hadto explain what secondary sales
were.
And also have to say, like,well, you could sell right now
and pay off your house or holdit, and maybe, you know, someday
(30:34):
there'll be a public offering.Right? That's an awkward and
very fun conversation I hopeevery founder has the ability to
do. But then we also had, like,tactical issues. Like, you know,
we were just being like, today,it's different.
But in the early 2000, formerNSA founder, lives in Maryland,
right next to NSA. I can tellyou for a fact that we're doing
45, 40, $50,000,000 of revenue,product revenue. Everybody else
(30:58):
from California hears, oh,they're a services government
contractor company. Right? Soraising $50,000,000 from an
excellent, you know, venturecapital firm, you know, Accel
Partners was a really, reallybig statement.
You know, so that was that waswhere, where we were looking at
the time.
Mahendra Ramsinghani (31:14):
That's very fascinating, Ron. Can you
share with us how the initialcontact with Accel occurred? And
then what was the postinvestment phase like for the
next before Insight stepped inwith another $250,000,000
Ron Gula (31:29):
check? Yeah, so I give Ping Li from Accel, partners all
the credit. So Ping would meetwith Jack, then he would meet
with me and Jack, pretty much atevery RSA and every Black Hat.
And, you know, every year wedoubled where we were last year,
you know, and it was just it wasjust one of those things. We
just we were we were machines.
We just kept doing what we weredoing because we every year we
(31:50):
thought, oh, maybe this will bethe year we get acquired. You
know? So we weren't thinkingabout going long until we
started hanging out with Ping.We had a couple other funds that
were were talking to us andstuff like that. But, you know,
it's for the the client, thethe, the employees we had at at
Tenable.
You know, again, coming fromsort of the Maryland, Virginia
area, you know, it's a differentthing. There weren't companies
(32:11):
going IPO in the cyber market.We were one of those first
things. So it was really good tohave, Accel Partners come in.
And, you know, Ping and the teamthere came in and met met the
employees.
You know, we did a lot of that.I mean, you know, they were
minority of it, $50,000,000check, minority investors.
That's kind of it. Again, alittle uncomfortable for them to
(32:32):
flying to the east coast. Youknow, that was interesting.
Of course, you know, today, itit this kind of stuff happens
all the time. But again, early2000, mid 2000, it was, it was
interesting. So then, you know,as we matured, we really got
that pre IPO type of thought.And, we hired, Steve Vince. And
Steve Vince, the current CFO ofTenable, a local Howard County
(32:56):
where where I'm I'm from today,joined and just completely
transformed.
And, like, I have so muchrespect for, you know, the team
that got us to where that thatpoint. But when Steve came in,
professional, you know, CFO, FPand a, all that kind of stuff,
and I all of a sudden, I couldstart seeing 4 years, 5 years
into the future. And, you know,with all sorts of models that
(33:16):
really allowed us to startthinking about, oh, maybe it'd
make a lot of sense to raise alot more money at that secondary
thing and take another bite atthat at that apple. And, you
know, along the way, we had acouple of m and a offers. Didn't
really take them.
You know, had to make somedecisions there. But, I think
any company on a run up likethat happens. And of course, I
stepped away, you know, with theidea that Amit's gonna take it
(33:38):
public, and that's exactly whathappened.
Mahendra Ramsinghani (33:39):
Well, I think that what you built is
quite phenomenal. I just wantedto read some statistics for the
benefit of our audience. Thecompany had 20,000 customers at
the time you went public. Youknow, that is a significant
number. Now, what is interestingis that the average contract
value, or ACV, as we might callit, was $5,000 per customer.
(34:02):
So that's how you were up almostabout $200,000,000 in revenues.
Did the VCs fight back on theACV, saying that this is too
small an ACV with a very largenumber of customers? You know,
because at most VCs, you know,we like 6 figure contract values
with a smaller number of logos,but here you are with exactly
the opposite. Can you share alittle more of what happened
(34:22):
inside the VC conversationsaround these numbers?
Ron Gula (34:25):
So, you know, Tenable today, it's very different as
far as what they offer than whatthe when I was running it. But
when we were running it, youknow, we basically had had
Nessus, which was avulnerability scanner. And, you
know, we we added a lot of valueto Nessus, but it was basically
a single user type of, of ofthing, and it went from an
(34:46):
unlimited thing for maybe $1200a year to maybe a per IP thing
for, you know, a couple $1,000 ayear and and but it was for a
user thing. And then we hadsecurity center, which was
really the the enterpriseoffering. And he could buy some
things for it, but that was the$250,000, the $100,000 thing.
You constantly have these 2buckets of, of of revenue that
(35:09):
all had little bit little bitdifferent there. And then, you
know, we were a little bit lateto the cloud game compared to
some of our competitors, but weadded Tenable. Io and that's
where we've been pushing a lotof the the customers, which is
sort of a blend of you can't doas sophisticated of some of the
analysis you need to do withSecurity Center, but it's
certainly more sophisticatedthan Nessus. And, of course,
(35:30):
Tenable has done a lot ofacquisitions, you know, since
then. But but the conversationwas always, and this is where I
go back to all the venturecapital we do today, how do I
license the thing that I sell?
So, I mean, at at some points,you know, we had people using
Nessus, and we said, well, maybeif we gave Nessus away for free,
we could charge a premium forthese, you know, these
(35:51):
enterprise, insights and andanalysis of the data and that
sort of thing. And on on theother hand, you're like, well,
maybe if you give the analysisaway for free, you could sell
more Nessus scanners becausemore people will will like that.
And, you know, I don't think weever got to an answer because,
you know, when I was navigatingit, it was there were you know,
the GRC people wanted to addNessus to what they were doing.
(36:12):
The there was no sore. There wasno, you know, the SIM guys
wanted to add scanners to whatthey were doing.
Of course, now, you know, you'vegot people who do just asset
discovery, like Axonius andstuff like that. And, you know,
I would view that as competitioneven though one's sorta IT
management, one's vulnerabilitymanager. They're they're
related, but they're, you know,they're very, very different
things. And, of course, I didn'ttalk at all about the cloud and
(36:34):
SaaS and mobile devices and allthat kind of stuff. That's one
of the reasons the Tenableproduct line right now is they
call it cyber exposure.
Like a lot of those things don'teven have, you know, IP
addresses right now becausethey're ephemeral. They come and
go. So that's that's kinda wherewe're at.
Mahendra Ramsinghani (36:48):
You correctly said, Ron, that the
company is very different today.And, you know, as I was looking
at the most recent financial,materials that are posted on the
company's website, you know, ithas almost, 1700, large
customers, large meaning morethan 100,000 ACB, And it's gone
from, 200,000,000 revenues whenit went public to today, it's
(37:09):
almost north of 800,000,000. Soit has added 600,000,000 to top
line in 5 years. Compared to 0to 15 years, it added
200,000,000 top line. So verydifferent business.
I mean, how do you, as a leader,see these 2 different phases of
growth? You know, one was aphase of gradual sort of incline
(37:29):
and the other is a very rapidscaling that, Amit is leading.
Ron Gula (37:34):
Yeah. So Amit's very good at that. Like, I mean,
obviously, when we were doingall these things, he he had a
good career at, RSA and NetWitness. He has some good time
with the the federal governmentfor for stint as the czar. So he
had a lot of exposure to how dowe get a technology like this in
the hands of a lot of people.
Right? You gotta partners.Right? You gotta have the sales,
(37:56):
so you gotta have the branding,and have all that all that kind
of stuff. So they've done anexcellent job with us.
Amit's been at this just as longas we have. When we did Dragon,
we were working with him at hisfirst, cyber company called
RipTech. So, you know, I had alot of confidence in him being
able to, to do this. But, butfor the most part, you know,
when when you have a brandthat's iconic like that, I mean,
you know, while I was there, wewere able to get a DOD site
(38:18):
license, federal government moreor less site license, and, you
know, do things like that allacross the world. You how do you
build up on that?
Well, you gotta do someacquisitions. You gotta maintain
those partnerships, and yougotta you gotta keep doing those
those those kind ofrelationships. So I've been very
happy with what they've beenable to do. But I'm gonna not
pretend like I'm responsible forany of that stuff since I've
left. I made the consciousdecision to very much not hover
(38:41):
and just, you know, be a fan.
Right? Like, some formerfounders wanna hang out on the
board or Twitter or whatever,and I've really tried not to do
that.
Sid Trivedi (38:51):
Well, talking about not hovering, you know, you kind
of have this 14 year reign from2,002 to summer of 2016 as CEO
and cofounder. And then in thesummer of 2016, you hand the
keys over to Amit, and youbecome a board chairman. And
then you do that for another 6months. And by December of 2016,
(39:11):
you also resigned from theboard, if I'm correct, and, you
know, correct me if I'm wrong.And in January, you and Cyndi go
and start this new organizationcalled Gula Tech Adventures.
And the mandate in the earlydays was to focus on early stage
security startups. But could yougive us a sense for what was the
strategy there? Because it wasvery different from we've had
(39:33):
Dimitri on and Dimitri invest instartups, but he's not doing it
through some type of structuredvehicle the way that you and
Cyndi are doing it. So give us asense for why you did that.
Ron Gula (39:42):
So when when we left, you know, we wanted it we wanted
to be active in cyber, and youcan't be active in cyber and
just do policy. You can't beactive in cyber and just do
philanthropy, and you can't beactive in cyber and just do
venture. Right? I mean, peeppeople have careers in all three
of those fields, But when youlook at, like, the whole nation
and some of the complexitiesthat we have to fall, we really
(40:03):
purposely called Google TechAdventures Adventures and not
Ventures. And it's funny.
More than once, I've done aninterview where they said, Ron
Gool, the founder of, you know,Goolatech Ventures, you know,
but it's it's an adventurebecause we think it's all very,
very related. And, we're beingvery purposeful about trying to
balance the you know, all thosedifferent kinds of, of work. Now
(40:25):
there's a lot lot of ways toslice this. I've talked to a lot
of folks who are veryphilanthropic, and they invest a
lot, and you don't even knowtheir names. And they're you
know, but they've got they writebig checks and and that sort of
thing, but they chose to beprivate.
Now you had Dmitri on at yourlast episode. Dimitri's doing
Silverado Poly Excel PolicyAccelerator, very public about
that. He's very private abouthis direct investments and that
(40:46):
sort of thing. He does a lot incyber and outside of cyber. You
know, we've chosen to do certainthings.
My point is there's a lot ofways to go there. We really
found this balance. And, there'sa great interview from some guy
named Ross who basically calledus a cyber impact hub, which I
thought was awesome. I've usedthat a couple times for what
(41:08):
we're doing. But the reality iswe're trying to do a number of
things.
It's just be a resource topeople who make policy, people
be a resource to people who areinventing this because we don't
have enough people to to fightChina and Russia. We don't have
enough people to protectourselves from ourselves. Like,
we're inventing more stuff thatexploits our data and our
privacy than I think theRussians and Chinese do to us on
(41:29):
any given day. So it's, youknow, how do you beat that drum
and and create an ecosystem thatthat is doing that? Of course,
we're not doing it alone either.
We co invest with a lot of greatother funds. We do a lot of
cyber philanthropy with othergreat cyber philanthropists. So
so there's a you know, we'rehappy to be sort of doing our
part.
Ross Haleliuk (41:47):
Gula Tech Adventures is indeed a very
different, organization, partlybecause if I'm not mistaken, up
until now, you have notofficially raised the fund.
Correct? It is your own moneythat you've decided to put to
put in towards the investing.What made you choose that path?
Like, what made you not go out,just raise a fund, and and play
with somebody else's money?
Ron Gula (42:08):
So we thought about it. We thought about it. You
know, we've put a little bitmore than a $100,000,000 to
work, and some of the moneywe've we've recycled. So it's
probably a slightly biggerbigger number than that. But the
reality is when we left Tenable,we were responsible for I think
it was 600, 700 people.
So the first few years of doingthis, Cyndi and I didn't wanna
hire anybody. We've got a greatgreat team right now. It's small
team, but we're gonna try tojust use our time and some
(42:32):
equity to get things done. Andnow we've we're at the point we
need we need some help. But if Itake a dollar from you, Ross,
and I invested, I feel like I'mgonna have to give you a report
on what I'm doing for thatdollar.
And I didn't wanna do that.Right? I'd rather attract people
to invest in the companies thatwe're working with and have them
have the relationship with, withthe companies. And and that's
(42:53):
also something that's a littleuntraditional. Like, most people
in my position will do somethingcalled the special purpose
vehicle, where I'll get apercentage of that.
But now I'm involved in managingthat and and whatnot. And I just
we just didn't wanna do that.Plus, like, I think a lot of
what we have to say is reallyimportant, and they should
listen to us, but we're not theonly voice in the room. So, it's
(43:13):
sometimes a family office isgonna have, just as much to say
as another venture fund. And Iwant the founders to be exposed
to stuff because, I mean, firstthing I realized in this
business is a lot of VCs getreally lucky.
Right? And a lot of times theyou tell somebody, do x, y, and
z. You're gonna do well. It'sprobably the right advice, but
it might not might not happen.Right?
So it's we're trying to be, youknow, part of the ecosystem and
(43:34):
and do our part, like I said.
Ross Haleliuk (43:36):
So Gula Tech Adventures right now has over 50
companies in its portfolio. Whathave you learned since you've
made the first investment? Whatare you now doing differently?
How are you evaluatingcompanies? And if if something
has changed, then what what whatis it?
Ron Gula (43:49):
So what's what's interesting is that you can work
really hard on a company. Firstof all, what does that mean?
Right? If you're a founder,you're probably like, oh, man.
These VCs don't do anything forus.
Right? But But if you look atthe point of view from the VC,
maybe you have 10 companies.Okay. So what do you do for
those 10 companies during your 5days of the week? Or you can do
one introduction per 10companies.
(44:10):
That's actually a lot of work.You got to contact people. Do
you really want to meet thiscompany that has a cyber widget
that does that? It's a littleopportunistic. And so,
basically, what I've learned isI've learned sort of 2 things.
You know, 1, when it comes topitching companies, we wanna
know 5 things. What problem doyou solve? How do you solve it?
Give me some proof. What's yourask?
And what's your vision ofsuccess? And those five things
(44:32):
are hard to answer for 1st timefounders. Like, they're
embarrassed to say, I wanna goIPO. They're embarrassed to say
that if I raise a half a$1,000,000 from you, I'm gonna
make a $1,000,000 in revenuenext year. They they don't they
don't know that.
Right? But what do they know?What do they wanna say? So we
wanna we wanna know those thosekind of things. And then the the
second thing though is that luckhas a lot to do with this
(44:55):
industry, timing, lock, and it'snot a reflection on the founder
though.
We have a lot of former,military founders, former
intelligence community founderswho had stellar careers, stellar
pitch decks, stellar idea. Theygo to market falls flat, and
they think they're a failure.They're not a failure. Right? I
mean, how do you how can youpredict the buying behavior of,
(45:16):
you know, a 100 CISOs in thefederal government, for example,
you know, that that that kind ofthing.
So there is a little bit ofluck, little bit of humility.
And, you know, that's somethingwe just want to impart onto
those folks.
Mahendra Ramsinghani (45:26):
You know, speaking of luck, Ron, and
timing, of course, you know, Irecall a key management company
I had invested. This was keymanagement in the cloud in 2012.
So 10 years ago, everybody wasso intrigued by the idea.
They're like, how can you dothis? This is so cool.
Not a single buyer. And to addsome salt to that wound, some of
(45:51):
the buyers said, this is socool, but do you really think
that I'm gonna hand over my keysto you, your little startup is
gonna do this in the cloud. Sounfortunately, that company was
a loss. We had to shut it down.Another, sort of market timing
story is about homomorphicencryption.
I remember nerding out with thisfounder and he was like, yes, I
could run full homomorphic andwe could run so many operations
(46:13):
on these blobs of data and blah,blah, blah. Andy Bechtulichime
is an investor, and Index wrotea small check. We all got
excited, wrote a small check. 3years later, like, you know,
again, shut the company down. Sothere are so many of these
stories that we find in ourjourney, and I couldn't agree
more about luck, humility,market timing.
(46:34):
I mean, these are things thatare completely outside our
control. You have this view ofworking with founders. I love
the 5 questions that you sort ofpresent to them and force their
thinking into being very preciseand crisp. What advice do you
give them to stay tenacious likeyou have been, to build a
culture like you did at Tenable,and more importantly, not to
(46:57):
lose this essence of being agood human being.
Ron Gula (47:00):
So it's it's different for every founder, this this
concept of, you know, being agood human being, like, what is
the right thing to do? And and,you know, just like many funds,
you know, we had companies thathad to do layoffs, you know,
over the last year or 2 years,and they had to cut to
profitability. That's tough.Right. So I really felt like
some cases board meeting, veryantiseptic.
(47:21):
Hey, this was done. Maybe callthe founder after. Hi. How'd it
go? Right.
Like, are, are you doing okay?Right. You know, where, where
are you at? Right. So a littlebit of that.
Sometimes it's a little bit of,look, you have to do this or you
will be out of business in 6months, and that's that's tough.
Right? Having said that, I'vealso been involved with a lot of
companies who have just had, youknow, great cultures. They've
(47:41):
really nailed it. Some of thefounders I'm working with are
wise beyond their years as faras building a culture and
rapidly, you know, removingpeople who might be a counter to
that culture and and that sortof thing.
But but what I found is, like,my style is not everybody else's
style. So I'm a little hands offwhen I let people run the
companies the way they wanna runthem. It's their companies, you
know, that that kind of thing.But there's a lot of ways you
(48:04):
can do things. But also, youknow, being a CEO today in 2024,
when you look at the worldpolitics, we look at what's
going on in the country, it's alot different than when I was
CEO, right?
There's a number of things yougot to do, you got a lot of
legal things, you got a lot ofpolitical things, you got a
sensitivity things. So I dospend a little bit of time, you
know, making sure people are notoverly focused on things that
(48:27):
aren't aren't counterintuitiveto their business. But at the
same time, you've got to besensitive to all of those kind
of things as well. What I reallylike is when my portfolio comes
to work with each other. So I'vegot a couple OEMs and cross
customers, cross licenses.
That hardly ever happens in theindustry, and I think the fact
that we have any, I'm quitehappy about that. And we also we
do our Gula Tech event partiesand cigar parties and that sort
(48:49):
of thing, and that's alwaysagain, I like that cigars and
bourbon. Some people might notdrink. They might not smoke.
They don't have to come, butit's you get to kinda do things
that you wanna do.
But that's how we kind of bringthat culture kinda back to, to
everybody else.
Sid Trivedi (49:04):
Well, for the last part, you know, as we get come
to the end of this session withyou, Ron, we wanted to talk a
little bit about Ron theinfluencer. And perhaps the
first big question I have is youhave this organization, Gula
Tech Adventures, but alongsideCyndi, you also have Gula Tech
Foundation. And with Gula TechFoundation, you're trying to
(49:27):
support nonprofits, and yourmission is to defend the
nation's cyberspace. Could yougive us a sense for what are the
problems you're trying to solve?How does the foundation even
work?
And what are the types ofinitiatives that you hope the
foundation will support?
Ron Gula (49:42):
So when when we first started Gula Tech Adventures,
you know, we've always beenphilanthropic. We would put we
would do a donation. I I thinkone of the first ones we did was
select Npower. Npower is a greatorganization that just helps
people who can't, you know, getthe education they want in
cyber. I didn't kind of put themthrough a system, helps them
find a job.
Great. But we would list thosethings almost like investments
(50:03):
on the website. We used to havea website with our portfolio
companies and our philanthropy.But what we weren't doing is we
didn't have the bandwidth tojoin the boards of all those,
come in and work with them on adaily basis and stuff. So we
were we really wanted to dosomething that could help them
the most without I mean, with asmall organization without tying
up our time.
(50:23):
So Cyndi's idea was to, youknow, do the foundation and
basically make it a competition.And because what happened is we
get these pitch decks. Peoplejust email. They find us on
LinkedIn. Oh, I want you to lookat this deck.
Well, we'd read the deck, andthis is where we came up with
the 5 slide pitch deck, by theway. We're reading this, and
we're like, we really don'tknow. Is this a nonprofit or is
this a for profit company?Right? Some people's decks
(50:46):
weren't that good.
And then from that, not only dowe get the 5 slide pitch deck,
but we realized the nonprofitsjourney was basically identical
to a startups journey. Butrather than raising a seed a, b,
and c, you know, if you got amaybe a a grant from a
foundation, maybe you could geta grant from Department of
Homeland Security. I don't thinkpeople are aware how much the
(51:07):
federal government gives tononprofits in cyber for, you
know, for example. And maybe ifyou do that, maybe you get even
bigger grant from, like,Microsoft or Google or something
like that. And that's exactlywhat goes on in there.
So we recognize that designpattern and said, we're gonna
just not write checks and nottalk about. We're gonna make it
a competition and make a bigdeal. So we got a a grant
(51:27):
committee, And we also want tobe very purposeful. And so we
did topic to topic to topics. Soone of the topics first topics
we did was increasing AfricanAmerican engagement in in
cybersecurity.
So nonprofits out there that,that focused on that sort of
thing. And we've done about 7 ofthese grants. We didn't do a
grant this year. We're veryfocused on just we're we're
(51:48):
kinda retooling a little bit.We're gonna probably make some
announcements down the road.
But the grant structure wasreally good. Almost everybody
that received a grant from uswent on to get a bigger grant
from somebody else, much like inthe venture capital world. So
I'm very happy about that. Welist everything at if you go to
gula.tech, gula.tech, go to thefoundation page, they're all
listed there. Sometimes we'vedone videos with these these
(52:11):
organizations to get a sense ofwhat they are.
My last plug for people, look,in cyber, there's a lot of
people who have the impostersyndrome. I don't know why that
is, because I think everybody Imeet is really, really good.
But, man, you wanna feel likeyou're giving back, volunteer at
a nonprofit. It doesn'tnecessarily even have to be a
cyber nonprofit. Go to yourlocal hospital, go to your go to
(52:31):
your town and just see what youcan do.
And believe me, you can do alot. The nation needs everybody
in cyber to do, you know, dotheir
Ross Haleliuk (52:39):
part. Talking about different ways of
influencing the industry. Overthe past several years, I've
built venture insecurity. Andlast year, it has achieved over
500 1,000 reads, which is, it'sit's a lot for a blog. And,
frankly, I know how hard it isto create consistently valuable
content.
Given that your YouTube channel,as of right now, has over
(52:59):
100,000 subscribers, whatmotivated you to start creating
a content? How much time do youallocate to do it? What does the
process, for you look like?
Ron Gula (53:08):
So it's it's interesting. When we first
started the the YouTube channel,I it was I was going more for,
like, a Joe Rogan type of thing.I put a lot of effort into being
able to sit down with goodquality microphones in person,
and then COVID happened. Right?So I literally, I mean, we do
this out of our out of our home.
I'm having strangers well, notstrangers, but you know what I
(53:29):
mean. People come in the houseand sit there and do the
interview. And, you know, we dosome and and we were able to
score some really interestinginterviews back then, like the
the cast of the reboot ofMacGyver and and stuff like
that. But, you know, getting afollowing I mean, Ross, you're
very gracious to bring bringthat up, but it's no small task.
Like, you've gotta be on top ofthe content and the the SEO and
(53:50):
and just do things in the rightright things.
But for us, when we switchedfrom doing the live interviews
to more just me talking about atopic with some fancy graphics
or something like that, thatseemed to really resonate with a
lot of people, so I've doubleddown on that. We've been doing,
like, 1 episode a week. We're upto, like, 250 episodes. And, you
know, I think the fancy graphicshelp, but that's a gimmick. It's
(54:12):
I think the content is reallywhat sells.
The other thing is that it's notjust cyber. Like, we focus on
start up messaging. So, youknow, we'll do how to name your
company, but we'll also do,like, obtuse con topics like,
you know, what when should youdefer salary if you're having
payroll, you know, if you'rehaving cash flow issues. Right?
And that's a tough thing to talkabout.
But but that got that seemed toresonate with a lot of people.
(54:35):
So we're quite happy with thatthat following, and we're gonna
keep putting some more effortinto it. I, I really like every
everybody says they know AI. Somy excuse for spending time with
the graphics is everything I dohas some sort of AI technology
behind it. So I feel like I'mworking with with AI.
If you've seen some of thevideos where the characters just
talk to each other, 100% AIgenerated. Didn't move a key
(54:58):
frame or anything like that forthat stuff. So it's crazy how
far that technology comes.
Mahendra Ramsinghani (55:03):
So Ron, here you are, 3 decades of
innovation, entrepreneurship.Now you're giving back to the
community with a very big heart.So look at the first phase of
cybersecurity. It's aboutdemonstrating your intellect,
demonstrating your ego,demonstrating your skill. And
now you're here demonstrating abig heart in your philanthropy
(55:26):
and, the work you're doing withyour videos, which, by the way,
are so cool.
In fact, I particularly enjoyedthe one where you talk about how
a booth can be designed so thatit attracts the right kind of
traffic in a show like RSA. It'ssuch a simple topic, but nobody
has done that. So thank you forcontinuing to keep your creative
juices alive and continuing toinnovate yourself. I think for a
(55:49):
lot of us, you will be the JoeRogan of cybersecurity, or you
might be the top gun, you know,Air Force pilot for
cybersecurity. But as we look atyour next phase of your journey,
how do you continue to challengeyourself?
How do you think about what thenext 5, 10 years of Cyndi and
Ron Gula would look like?
Ron Gula (56:09):
Thank you for those comments. I mean, we put a lot
of effort into the investing,the philanthropy, and getting
that out. So I appreciate thosecomments. You know, I I think if
anything, anybody's gonna try topredict the next 5 years is it's
tough. I think we've got a goodview of things because we get
pitched a lot of stuff.
So there's a couple couplethings. So like, we spend a lot
of time with policymakers, andeverybody wants to know how can
(56:30):
we get the DOD more secure? Howcan we get the nation more
secure? And I mean, we've seenso many different things. Our
answer there is we want we wantpeople to think of, you know, IT
and and data, like health care,and just call it data care.
And I was literally like, I'm anadvisor for the Military Cyber
Professionals Association. Andwe had a I I don't wanna go into
a whole lot, but the commentwas, look. Even though this is
(56:51):
the military, you know, some ofthis stuff is carrying feeding
you the data, and it it's kindawe need to make the people who
are are patching the systemsfeel like they're just as
important as the people who arehacking Iran and and, China and
Russia. So in unless until wehave that mindset, you know,
where we can get cyber people tobe just as well respected as a
doctor or a lawyer, you know, Ithink we're gonna have a a hard
(57:12):
time there. And the second thingwe're tracking is AI.
And, I mean, I think there's alot of opportunities for
productivity and for thebetterment of humanity, you
know, with AI in general. Butthere's a lot of opportunities
for things to happen where, youknow, only certain companies
control the AI and, you know,they get to see what we're
(57:32):
asking kinda like what happensnow when we query Google and and
stuff like that. And that thatcan really, really hurt society,
especially if things go a littlebit more draconian than than
they have been, you know, in thepast. So we're tracking a lot of
that stuff. You know, there'sdisinformation is such a big
problem right now.
I'm actually working on a videowhere I have somebody from the
(57:54):
future come back to RSA, andthey have a conversation about
how they they, do things. Andthey literally say, well, you
know, we really don't know muchabout IT security from the 2000
because of the AI anddisinformation wars. Right? And
it's, so you you never knowwhat's gonna happen. Right?
But that's really what we'relooking at. We're blessed. We we
do a lot of really fun things,and we get to go to a lot of fun
(58:17):
places, but we're prettyfocused. I I mean, every year I
go to RSA, and I'm like, this ismy last RSA. I'm never going
back.
And then I leave, and I go, ohmy god. That was so much better
than what I thought it was. I'llcome back next year. And, you
know, it's it's important thework everybody's doing.
Sid Trivedi (58:31):
Well, thank you so much, Ron, for being so generous
today with your time talkingabout pre Tenable, the early
years, the formative years,starting 2 companies, then
starting Tenable, then yourinvesting background, all of the
work you're doing today toinfluence the industry. For our
listeners, what's the best wayto connect with Ron, hear more
about Ron? Should they justsearch Goolatech Adventures, or
(58:54):
is there a specific channel oror way you want folks to
subscribe to you?
Ron Gula (58:58):
LinkedIn's the easiest way. So I'm Ron Gula on
LinkedIn. You know, I got mystart in computers from my dad.
My dad's also Ron Gula, and hehas a LinkedIn account. So if
you see a guy without a picturethat doesn't have gray that has
gray hair more than mine, that'snot me.
That's my dad. But having saidthat, LinkedIn's fine. You know,
if you come to the YouTubechannel, check it out. You know,
what what I'm always looking foris if people have questions.
(59:20):
Like, I usually get people, hey.
Can I come pick your brain? I'mlike, that's one of my most
annoying ask because I do wannasay yes. But I'm like, chances
are the questions you have, I'vealready watched. I've already
done a video on. So my feelingis if I haven't answered
somebody's question, send methat question.
I'll make a video, and, we canwe can talk about it. So, that's
the best way to get ahold of us.
Sid Trivedi (59:40):
Thanks so much, Ron. Thank you.
Mahendra Ramsinghani (59:41):
Thank you Ron.
Ron Gula (59:43):
Hey. Thanks for the opportunity, and, good luck with
your launch, guys. It's, it'sit's gonna be great. You've got
some great guests coming up.
Sid Trivedi (59:51):
Thank you for joining us Inside the Network.
Ross Haleliuk (59:54):
If you like this episode, please leave us a
review and share it with others.
Mahendra Ramsinghani (59:59):
If you really, really liked it and you
have some feedback for us, wrapit on a bottle of Yamazaki and
send it to me first.
Sid Trivedi (01:00:09):
No. Don't do that. Mahendra gets too many gifts
already. Please reach out byemail or LinkedIn.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.