Tenable was established just over a decade ago. Network security is constantly having to adapt to new threats, could you outline what trends you see in cyber crime which are proving the hardest for firms to tackle?
Hackers have gotten really, really good at writing malware that’s targeting people like you. If they wanted to target your organisation they would be able to find and harvest emails from people like you and do it blind, by guessing names like John Smith, you’d be surprised how effective that is.
When you cross reference that against all these companies which have lost money, and PII [personally identifiable information], that’s another source of email addresses and names which can be harvested. So what’s happened is traditional anti-virus intrusion and detection systems are really bad at looking at content running on a website, PDFs, Word documents and other things.
So now that’s where the threat’s really focused. There’s so many people writing new forms of malware being delivered in these various streams of content, and McAfee can’t identify this, Sourcefire can’t see this, and so on. So basically you’re looking at a threat which is working to create malware attacks against specific agencies. That’s pretty powerful stuff, it’s not random malware anymore.
It’s targeting your organisation. That’s a firm’s worst case scenario.
How is the proliferation of these threats affecting companies, in terms of how often they need to update software and check for threats?
From an audit point of view if you can do it in real time, you get a lot of benefits. It’s a really big mindset change for a lot of our customers who do security as their job.
Previously it was very manual. It’s really run once a month, once a quarter, not daily. So when you’re a CIO figuring out how you’re doing, you run a scanner and everything comes up saying you’re doing a great job. But if you’re a company and you’ve done a scan 30 days ago you’re only just ready for the audit and you’ve got worms, malware and stuff. The other has been keeping running and is fine.
Everybody throws around these 30-day patch windows. You have 30 days to patch but how do you measure that? If you’re only scanning every 30 days you’ve got no fidelity. You can’t tell the difference between a group that patches the same day, the same week, the same month even. And 30 days is being generous. A lot of these organisations have 90-day patch windows, 180-day patch windows.
If you’re trying to get them to move to a smaller patch window you have to measure daily, real time.
So the way Tenable runs Nessus means people can get your updates pretty much instantaneously.
The way our technology works is a really big advantage. It doesn’t matter if somebody’s deployed Nessus in a virtual environment, a Mac laptop or a Windows computer, or if they’ve put it up on Amazon, they get this functionality. As long as they’re updating, they’re good.
We’ve been doing so much R&D with this investment that we wanted to get away from actual big releases. We’ve put so much new content into the update, even to having new web interfaces. We’re really moving to minor releases once a year but everything else is over the app. That’s how we shipped on our malware detection update.
That’s the nature of software these days. There’s so much that can be pushed that doesn’t need to be installed or have a user do something and that’s part of this whole cloud mobile expansion.
When you’re selling to companies, are you seeing a shift in terms of IT expertise within businesses? And is there a big difference in the level of expertise between startups and enterprises?
There’s a lot of users out there with problems like BYOD, where the users with sheer force of desire want to use their iPads and Dropbox and other services. In one sense, if IT doesn’t keep up with those things, they’re in a dangerous position. It’s the same with security. We have seen organisations take very draconian measures and it’s almost swung in some organisations the other way.
I have friends working in firms back in the US and they’re targeted by China [hacking groups]. They send me these emails about what their CIOs say. It scares them. It’s really a different mindset. When I go to California and visit companies which have just started up they don’t have IT departments. Every one of their services is outsourced. Through Amazon, Salesforce, things like that.
That’s where the world is. You have traditional brick and mortar companies which have been around for 100 years and companies which have existed for 100 days and they have completely different operations and needs. We work in both of those cases.
So what’s your sales strategy with these different customers? Do you go direct or do you prefer the channel?
We have two types of profits. We have the easy to buy subscription product; software you buy and don’t own, the Nessus vulnerability scanner. At the same time we have these very sophisticated enterprise products that have agent scanning and multi-user identification.
For larger procurement it’s almost two businesses and we wanted to expand both things. They’re almost two businesses. We can’t really expand the high velocity subscription stuff which isn’t direct access, we really need channel for that, but at the same time we’re also expanding our direct sales force, but it’s interesting because here in Europe and Asia the channel and our SaaS force work hand in hand, whereas in the US where the security market is a couple years ahead, we’re still keeping it segmented.
Although we’re getting more and more channel partners to carry enterprise products.
Can you tell us about your current revenue breakdown?
So our revenue at the moment is made up 20% from the Department of Defense and the civilian-facing side of the US government, 25% western Europe, a little bit less Asia and the rest is the US.
We’ve seen 40% year-on-year growth for many years and when we slice it and dice it it’s really been consistent. We’re not seeing a huge expansion in any particular industry and that’s because everyone has big networks and everyone is being attacked.
The questions I get from private customers are exactly the same questions I get from the Pentagon. Everyone’s got the same problem. Our growth is reflecting the growth of these networks and demands for security.
Tenable recently raised $50m in Series A funding. Where’s that going, is it fuelling much expansion?
We have not only invested here in Europe but Asia too – we have people based in Singapore and we have a support team in Australia.
We have offices being opened up in many other countries – Japan, we’re looking at China, we’re looking at Korea. We’re trying to make it easier to do business with channel distribution.
