CyberWire Daily - Patrick Morley: Former Carbon Black CEO [Cyber CEOs Decoded]
Episode Date: July 4, 2022In this episode, Marc and Patrick Morley, former CEO of Carbon Black, get nostalgic as they discuss Patrick's journey of coming up through the start up scene in the 90s—from working with VCs to taki...ng companies public—and compare it to running cyber companies today. Along with the early career experience that helped form Patrick's leadership philosophy, he shares his experience of becoming CEO of Bit9, seeing the company through a breach, acquiring Carbon Black, bring the company public and later getting acquired by VMWare—this episode is filled to the brim. You'll also learn about: How build a criteria for joining a start up Why cyber is the most mission-driven area of tech What it's like to call 600 customers in 2 days after a breach and not lose a single one Seven philosophies for running a cyber company Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire on what makes a cybersecurity company tick. I'm your host, Mark Van Zadelhoff, the CEO of Devo.
And today my guest is Patrick Morley, cybersecurity board member, advisor, and former CEO of Carbon
Black.
Patrick, welcome to the show.
Hey, Mark.
Great to be here.
Thanks for being here as well.
So Patrick, you were the CEO of Carbon Black for almost 15 years and saw the company through
a lot of changes.
But you didn't start out in cybersecurity. CEO of Carbon Black for almost 15 years and saw the company through a lot of changes.
But you didn't start out in cybersecurity. And during these discussions, I always like to start with just going way back to your background and how you got into cybersecurity. But let's go way
back. Where did you grow up? Where are you from? I'm kind of local. I consider it the Boston metro
area, but I actually grew up in New Hampshire, southern New Hampshire.
And Boston was the big city.
And I always thought someday, if I was lucky enough, I'd end up here.
And I ended up here and I stayed here my whole career, which is actually an accomplishment as well these days.
Amazing.
And did you grow up from a family of entrepreneurs or academics, or what was kind of the family background?
My father was a dentist. In fact, he just retired in his late 70s.
And my mom worked in the home, worked really hard.
I have one sibling, and I grew up, where I grew up was definitely the country.
I grew up on a dirt road, which you couldn't use in the spring, and next to a cow farm.
And it was great.
It was a great place to be.
And my family, my father was the first person to go through to university and then obviously went to extra schooling to become a dentist.
My grandparents were all immigrants, three of them from Canada, one from Ireland.
And I had one grandfather in particular, my mother's father, who was super entrepreneurial
and had a big influence on me.
I didn't realize that until I was older, until I was in college, just coming out of college, the influence he had.
But he ran every business under the sun, and he used to talk to me about it all the time.
He ran gas stations and grocery stores and bars and printing companies and lots of different companies and told a lot of stories about the good times.
And most of them were funny stories,
but a lot of stories about that.
And it really hooked me when I was young.
But of course, again, I didn't realize that until later
when you're starting to think through
from a career standpoint, what you're passionate about.
Yeah, yeah.
But all of a sudden you remember that grandfather
with all his stories about being an entrepreneur
and you realize maybe you're in the same situation later in your life.
Yeah, you get it through osmosis, right?
That's true with how we raise our kids and life in general.
I think a lot of times you don't realize you're getting it and then all of a sudden you look back and you realize how important some of those moments were.
Yeah, no, agreed, agreed.
What was your first meaningful paid job? Do you remember that?
Yeah, my first meaningful paid job was I was a bag boy at Shaw's Supermarket in Gossetown,
New Hampshire.
Wow.
Yeah, yeah. It was pretty incredible when you think about it.
Yeah, yeah, I'm sure. I mean, my first meaningful job was being a caddy. So both of those jobs
are very service-oriented.
So I imagine you experienced all sorts of nice and not nice customers in that job.
Yeah, that's right.
I will say, though, that during college, this just says something about when I went to school,
but I was actually in the Teamsters Union, and I delivered beer for four years during college and every summer.
And I made almost enough every summer to pay for college, which is inconceivable now for so many of our young employees who owe incredible amounts of money for college education.
I mean, we could do it differently back then.
Yeah, agreed, agreed.
In the end, you spent more than 20 years in technology.
I seem to remember you got your start at IBM.
Is that right?
I did.
Actually, yeah, good memory.
You and I have talked about this in the past.
I graduated from school with a degree in math and computer science.
And I got out and I started actually as a programmer for General Electric. And I programmed for exactly six months, increasingly realized that at least the area that I was doing programming, which was systems programming.
So it was pretty boring stuff.
Dry stuff, yeah.
Pretty dry stuff.
And so I went over to IBM.
That would have been in the late 80s.
So I went over to IBM.
That would have been in the late 80s.
I went to IBM.
And at the time, IBM, not to say it's not now, but at that time at least, IBM had an amazing program in many areas of their business for helping young people kind of grow and learn quickly.
And in my particular one, I went into the sales program at IBM.
And it was a really great experience.
Amazing. Yeah, as you know, I spent
quite some time at IBM much later in both of our careers. And I think that it has that reputation
of being able to build, you know, the skill sets of young people coming in there. Yep. That's right.
That's awesome. And so walk me through, because you were at IBM for a while, but then eventually
you kind of headed off on your own with roles at smaller companies, a number of small companies, and eventually moving to your first CEO role.
Walk me through that journey.
Yeah, well, I realized quickly, actually, even when I was at IBM, that I wanted to run my own company.
And at that time, I actually looked at a number of different companies to buy into franchises at the time that were non-tech oriented because I really wanted to do my own thing.
And I wanted to run my own company.
I had a mentor, a woman at IBM who had been at IBM for many years, who actually was the first person to talk to me about, okay, what could I go do?
And I'll never forget being at lunch with her and her
telling me about this thing called a startup. Now, you have to remember back, this would have
been in the 80s, late 80s, and companies like Microsoft and Lotus and Ashton Tate and many
other kind of tech startups, that was a new thing. And so that put the bug in my ear to say, okay,
if I can go to somewhere small, I can learn faster, I can grow my career faster.
And that's what I did.
And over the last 25 years or so, I've done five early stage companies during my career.
And of those five, I was very fortunate.
Four of them became public companies eventually. All four
of them were acquired eventually. On average, those startups, I was at those companies three
to four years, except for Carbon Black, where I was there for a total of 14 or 15 years.
But it was a great experience doing these startups and being somewhere where people don't think about startups as being a new thing.
But back then, there weren't as many.
And that idea of learning quickly and having the opportunity to experience a lot of different aspects of a business is very powerful for your career.
For you, four times at companies that went public, that's pretty remarkable.
I was thinking about that, and there aren't many people who have experienced that four times.
No, but you have to put it into perspective, too.
Again, times change, right?
The first company I was with that went public, we went public in 1996.
That company was SQA, run by Ron Nordean. And we went public on 11 or $12 million of
trailing revenue. We had just gotten a break even just to think of that 11 or 12 in trailing.
And now if you're on, if you're, if you're a hundred, they think, oh, you're, you know,
you don't, you don't have enough size yet. You need to be closer to 200. Yeah. So different
world. Fortunately, I saw that, that, you know, saw the kind of the changing dynamics of what it took to go public from the early or the mid-90s up to where we are now.
Carbon Black went public in 2018, so that would have been 20-something years later.
And we were much, much larger, obviously, than SQA was at the time.
Yeah, it's like everything has become supersized in the modern era, right?
Both the size you have to be to get to an IPO, but also the amount of money that's available to raise before that.
So everything has kind of gotten bigger.
That's a great way to say it.
Everything is supersized.
But you were able to raise money in those days.
There were VCs, and there was the same kind of basics, right?
But it was just, as we were discussing, the sizes were smaller at the time.
Yeah, it was the same, but it was different in that today, I think for founders and for CEOs,
I think the experience right now is a different experience than it was in the 90s.
In the 90s, the venture community was still relatively new.
And while they partnered with you, there was a little bit of an us versus them relationship versus the partnering you see now.
I equate it to the way, more recently, we've seen the PE firms change.
So in the early 90s, venture guys would be like venture
people, though many of them were, most of them were men at the time and still are. But a lot
of questions and a bit of cynicism about, well, why are you going to be able to make it? Versus
today, it's like, oh, we're going to do it and we'll help you do it and we'll do it together.
The VCs changed, I think, post the bubble burst in 2000, where they really became much more aligned with the founder, aligned with the CEO.
How are we going to do this together?
You saw that same progression on the PE firms today, where the private equity firms, again, used to be viewed much more, I don't want to say negative.
Yeah, negatively.
Hey, these guys are pretty.
Antagonistic, yeah.
Yeah.
Right on, right on. And today, it's different. I think that say negative. Yeah, negatively. Hey, these guys are pretty- Maybe antagonistic, yeah. Yeah, right on, right on.
And today, it's different.
I think that's right.
I actually spent a little bit of time myself
after business school being a venture capitalist
before realizing, like you,
I wanted to go and run something.
But if you just look at the term sheets
and the terms back in, for me,
it was the late 90s, early 2000s,
they were more antagonistic terms, right?
You do a preferred preference
with one or two times preference in it.
And the whole reason for that
was because you weren't quite sure
if the entrepreneur really was, you know,
going to do what he or she promised.
And so if you look at the term sheets now,
they're much cleaner and more entrepreneurial friendly.
So I think that speaks to exactly what you're saying.
What's interesting is you don't realize you've seen that whole journey of the changes of
the industry until you start to look back.
And again, you talk to younger founders or you talk to the investors today, you just
see how much things have changed.
the investors today, you just see how much things have changed. And I actually think, again, it's a great environment today to build companies. And different than where we were at, but it's a great
environment. Yeah, no, I agree. And I want to get to Carbon Black because that was just such an
amazing story and a big part of your story. But before we do that, these four companies that
you're at before you got to Carbon Black that all also did well, if you look back on that, were there certain components of your personal success? If you
look back and say, why was Patrick Morley successful four times? And I'm sure many
small failures and setbacks in between, but in general, those four companies did well.
When you look back on your own contribution there, was there a kind of a silver lining or a thread to
the things that you did that consistently allowed you to succeed there?
Well, I'd like to tell you I had a genius plan. At the time, imagine this, when I was looking
in the 90s for some of these jobs, it was pre-internet. Imagine that. So I remember trying to find a job then, very
different, right? You go in the Globe or your local paper and you look at all the help wanted
or you knew somebody who knew somebody. And I had a couple of key criteria. Again, I really wanted
to start my own company. And so one of my key criteria was super simple, which was go as small
as I can, because my belief was if I go small,
I'll learn more faster. Because in the end, I don't want to be here. I want to be running my
own thing. And then the second big criteria was I wanted to be local to headquarters.
Again, imagine that. Totally different today in today's world where we are. But at the time,
I said, I want to work at headquarters. And then third, I wanted to be in a situation where I could progress, at least as an outsider coming into a company, I could
progress if I achieved, and I thought I would, as fast as I could. And I kind of used those as a
baseline. At my first startup, SQA, I worked for someone who at the time said, hey, I know you
really want to start your own company, but rather than do that, why not use an investor's money, progress your career, and go run something in tech?
That would, again, have been in the mid-90s, and then that became my goal.
I said, hey, that's what I'm going to go do.
I'm going to do everything I can in order to run a company.
Before Carbon Black, I actually ran a company called Improvada here locally in Boston as well.
Went there with funding, but no product, no sales, just a team of, I don't know, 12 or 13 engineers.
I was there for a number of years and then handed the reins over to my partner there, Omar Hussain, who ran it and brought it public.
Use that criteria and that'll help you to make sure that you had a good probability of success.
Awesome. And so Improvada and a couple more, or maybe one more experience,
but eventually you do end up at Carbon Black and I'd love to understand how you got to Carbon Black.
How did you discover that opportunity and end up a CEO there? And it wasn't called Carbon Black at the time. I do remember that. That's right. It was called Bit9. And I went to Bit9 in 2007. And when I had
been at Imprivata, Imprivata was in the identity management space and certainly part of the overall
security. But we have to remember, back when I was at Imprivata, which would have been 2001 or 2002,
something like that, maybe 2002, at the time, security was really a niche play. And in fact,
most security leaders were not, quote, security leaders. It was really typically like a director
of network security or a manager of network security. And they were typically down in a
closet in the basement of the company, and no one really talked to them a lot. Just make sure we're
safe and don't talk to anybody. There were no CISOs at the time. So when I was at Improvada,
I was on the identity side, but I kept looking at what was going on on the antivirus side and
the way antivirus worked. And I had seen earlier in my career, the creation of AV back in the 90s. And I looked at the attacks that were happening when I was in Improvada, and I looked at that
side of security and said, that is an interesting place to be right now.
That is ripe for disruption because the core tech, the way it was built, was built actually
pre-internet.
The original AV was built pre-internet.
And you could see the attack, the numbers of attacks going up just exponentially.
And so I wanted to get over on that side.
I knew the first CEO of Carbon Black at the time, Bit9, George Kasabji.
I knew the investors, and one thing led to another.
And the next thing I knew, I was running Bit9 in 2007.
And I think nowadays it's just everybody says that AV is dead and useless.
But to bet your career in that in 2007 is a wholly different thing to do.
So that's a different time.
Well, right.
And at the time, Symantec and McAfee were just giants.
Yeah, they didn't really have a lot of perceived weakness. And in fact, at the time,
they were consolidating vast areas and niches of different security on the endpoint or on the
server side. And the core premise of Bit9, which is interesting, was rather than try and figure
out what's bad, what's malware, let's only allow trusted software to run on the device.
That was the core premise, and it was called whitelisting at the time we created that category.
Now, it turned out to be much harder than we had anticipated when we first started off on that journey.
But interestingly enough, if you fast forward, that was 2007, where we are today.
But interestingly enough, if you fast forward, that was 2007, where we are today.
The whole concept, one of the industry terms you see a lot out there in cyber today is zero trust.
We essentially were doing zero trust in 2007, but we didn't have that cool term.
We just had the term waitlisting.
But you were betting against the big guys, the antivirus guys.
And you and I, in that sense, were in a similar position because I was just getting started,
acquired into IBM at the time,
not to go off on a tangent here, Patrick.
But I remember we pitched the idea of starting IBM Security with the same premise,
which is that we needed something better
than antivirus and firewalls.
The only big companies,
when you and I were doing this back then,
in the cyberspace were either antivirus companies,
Symantec, Trend, McAfee,
or firewall companies, right?
Checkpoint and Cisco, especially.
Palo Alto emerging.
And so it's kind of the infrastructure players were the only big ones,
and they had their solutions that were invented prior to the internet,
as you said.
And you were making a bet that there was going to be a different way to do it. I was doing a different bet with security analytics while at IBM, but your bet was on doing something better than AV here.
And the other bet we were both making at that time, Mark, was the changing dynamics of the
cyberspace. Again, looking where we all are today, it's a little hard to rewind the clock 15, 16 years ago and imagine a time when, even in 2007, most companies did not have CISOs.
Most people could never have imagined that cyber spending would go from where it was, which most companies at the time were spending maybe 1% of their IT budget was on security.
To where it is today, you've got 7%, 8% in many of the financial services companies.
You've got 10%, 12% of the overall IT budget is being spent on security.
Couldn't imagine that kind of exponential growth there either.
No, and it's been very good on the client's head, like you said, at banks and at all of our customers.
One of my favorite CISOs over in Europe told me a story that he had two job options around this time.
And people said he was crazy for accepting the head of IT security.
And now he's got a 500-person cybersecurity team and a big title.
And it's been amazing for his career.
So I think you're right.
Those roles didn't exist back then the way they do now.
I think cyber is one of the top three most exciting areas of tech, bar none. And of the three,
it is the most mission-driven. It is so powerful in the mission of what you're trying to do as a security company because it's very visceral. Because you read about it every day in the news,
you are talking to customers
every single day who are trying to protect their organization. And so the mission really comes
alive in cyber, which I understood in 2007, but I did not fully appreciate the way I do now,
the power of that for me personally. And I also think for my employees.
And again, I'm sure you see that from where you sit too.
Yeah, I know. I agree.
When I explain to people outside of cyber why I like it,
I say at any software space, for example,
you have to beat your competitors and please your customers.
And in cyber, there's this third very random variable
called the hacker that you have to add to that.
And you have to please your customers,
beat your competitors, and outpace the hackers
and have a mission to do that.
So I think it's in that sense that some of my friends
who are in biotech curing cancer,
I think we have that kind of mission,
not to compare maybe that noble thing to cybersecurity,
but we have that mission of doing something
that will really help the world if we get it right. That's right. Yeah, that's right. So you're at Carbon Black and maybe let's
start with just getting there, settling in and back to, did you have to go fundraising right
away? Was it easy to do that? What were some of the early challenges that you had there?
Yeah. When I got to Bit9 at the time, uh, we, there were 20 something employees
and, um, under a hundred thousand dollars in revenue, handful of customers product didn't
work that well. Cause it was quite hard to do what we were doing at the time. And, um, I did
not need funding right away, but I got there in the midst of the real estate crisis, the financial crisis
of 07, 08, and the recession at the time. And so we suddenly went into a situation where
you want to drive and grow the business. And while we certainly did grow the business,
it was a harder slog than we thought.
And some of that was because of macroeconomic issues with the economy globally and the financial crisis.
And the other aspects were we were still trying to figure out a product market fit for, at the time, what we called whitelisting.
It was a few years of challenge, keeping the team together. As you know, typically when you
go in somewhere, you'll look at the team and you'll make some changes. But then we really
were focused on trying to figure out where the repeatability was in the model and making sure
we got the product to where it satisfied all of our customers and it did what it was supposed to
do. And that journey was longer than it should have been, twists and turns.
And again, in a slightly, not a slightly, in a very different funding environment than we're in today.
We did not raise money for the first couple of years, but then I needed money, but we weren't seeing exactly the traction we wanted.
I did, over the years, a couple of times times I did bridge loans to see around the next corner.
We had an offer to sell the company back in, I don't remember exactly what year I want to say
that was 2010, maybe, maybe 11, somewhere in there. We decided not to do that, but definitely
some twists and turns. And as an outsider, when you look at a company, it's very easy to say,
oh, look at the way that thing goes up into the right. And I used to, when you look at a company, it's very easy to say, oh, look at the
way that thing goes up into the right. I used to say to all of my employees that if you draw an
X-axis, you want to draw a straight line up into the right. But the truth is, every company,
there's a roller coaster inside of that line. You've got some great quarters, some not so great
quarters, some great years, some not so great years.
And that's why it takes tremendous stamina
and resilience for a team
and for a CEO and a founder
to kind of bring a company up and through.
And you have to be really passionate
about your beliefs to do it.
So we definitely saw some of that
in the early years at Bit9.
Yeah, I think you've seen it all.
And I can relate to that in my role here at Devo is that there's lots of detail below the surface in terms of what's happening and highs and lows.
I definitely get that.
One of the moments I wanted to zoom in on, and I think at the time you were probably no more than a couple of miles from my office.
And I remember just opening the paper
and reading about a breach.
It was around 2012 that Bit9 had experienced a breach.
And you, I think, did a very admirable job
leading through that.
I mean, the fact that the company survived
to have an amazing several other chapters speaks to it.
But walk us through the 2012 breach
that Bit9 experienced.
I'll just take a step back. There was about an 18-month
period there where we had tremendous highs and tremendous lows. And again, the power of working
at smaller companies is the fact that the highs are higher and the lows can be lower.
We got funded by Sequoia. We took a nice round, again, at the time from Sequoia,
But funded by Sequoia, we took a nice round again at the time from Sequoia, who I was really excited to bring on as an investor in 2012.
So that was a high right after I brought him on.
We missed the bookings number for the quarter.
Didn't feel so good.
I remember making that call and saying, hey, FYI, before the quarter close, I want to let you know.
Again, great investors.
This is why I always tell everyone get great investors. Great investors have strong fortitude.
And I'm like, yep, okay, we got it, and we're good.
We believe in what we're investing in.
And then in, that's right, in 2012, we actually announced it.
We found it in 13, but bit nine at the time.
We had about 600 customers.
Kevin Mandia called me.
One thing led to another, and we realized that the Chinese had hacked us, a very advanced
group, in order to get to a couple of our customers in particular.
And that was one of those things where I had been at the company for five years, and we
had really started to see sales start to grow.
We were growing well over 100% a year over the last couple of years. Our company was much bigger at the time. And I thought, oh my God, do we lose
the company? How do the customers react? And we did exactly what you said, which was we made the
decision to go out and be 100% transparent with the industry and with our customers.
In retrospect, it looks very easy, but at the time, I was scared to shitless.
We knew we had the right thing to do.
It's still scary.
And we did it.
And I personally called close to 100 customers.
We called every single customer.
So all 600 customers.
I'll never forget.
We had all effort there.
We talked to all 600 customers.
In like a couple of days, just call them all?
It was two days.
It was a two-day, three-day effort.
Yep, that's right.
And did any customers just summarily say,
you must have had someone that just said, I'm done?
Do you know we didn't lose one customer?
Unbelievable.
Yeah.
Again, I think a lot of that has to do with,
there's a credit to us,
but really it's a credit to the reality of cyber. When you talk to CISOs,
when you talk to him or her and you tell them the situation and you're totally transparent and your
leaders recognize, they see it as cyber leaders, you understand how tough our jobs are. And
honestly, I think it made us a much better company because
we were walking in the shoes of our customers in a way that we never had before. And it made
that mission element even more important than ever. I think we all admired how you guys got
through that at the time. I just remember having deep sympathy for what you guys were going
through, but I didn't realize that not a single customer walked. And I think that's an amazing
stat. And I wonder, when SolarWinds happened, and again, we could probably spend another hour on
this topic alone, but I remember just thinking it sounded quite similar, in fact, to what happened
to you guys in terms of trying to take advantage of a company that had footprint on an endpoint
to infiltrate key accounts from a hacker perspective.
And as everybody was saying,
oh my gosh, this is crazy solar winds.
I remember just thinking,
it's happened before, right?
And if you're in the industry long enough,
you start seeing the patterns.
One of the other things I've learned
through that journey at Bit9
was we essentially built tech that only allowed
good processes, good things to run, trusted things to run, which meant that we could block things.
And what we realized is that while very important and super powerful, many of our customers are
also using us to watch what was happening on the
device. So they would get a ping from a network device. You mentioned Cisco earlier and Checkpoint.
They would see something on a firewall and they would know that it went somewhere and they would
be looking for it on a device. They would use us to replay the event. Well, what just happened on Mark's machine?
So we pulled the company increasingly.
We were still doing prevention, blocking things. But increasingly, we were adding more capabilities to actually record, to watch what was happening
and provide the SOC team with better fidelity.
And I ran into a company called Carbon Black that summer.
And I had the opportunity.
And I, in one week, had three different people, customers, talk to me about this tech.
And Carbon Black had essentially built the first EDR product, endpoint detection and response product.
Again, amazing to think there was a first on that.
But built the first product.
I reached out to Mike Vascuso, the founder.
And at first, he didn't want to meet with me. Eventually we met and we really connected about
what we were trying to do. And we brought the companies together in the beginning of 2014,
I think that was. Very hard to get done, by the way, two private companies coming together. I
know for people who haven't had the roles that you and I've had,
they probably don't realize it's very hard to align shareholders and the right price for the
business and the right roles for people coming in. So I assume there's some good complexity to it.
Yeah. And again, a lot of it comes down to what's the mission of what you're trying to do and how
do the, I'm sure you do too. I have a set of core beliefs or philosophies that I've built over the years of running a company, running companies,
running teams, not just a CEO, but in multiple roles. A lot of it comes down to who we are as
humans. Where are we trying to go? What's the mission and vision of what we're trying to do?
And then who are the people involved? And if you can figure those things out, if you're aligned there, then that's a big chunk of getting a deal done. That's true if I'm selling to a
customer. That's also true if I'm bringing private to privates together, which as you said, are
really difficult, way more difficult than doing it in the public. Yeah, no, exactly. And you guys,
again, my memory is you guys really
started getting momentum. I mean, this is a particularly good idea for the company,
acquiring Carbon Black. And eventually it was such a good idea that you changed the name Bit9
to Carbon Black. Yeah, that's right. With the Carbon Black product, small team, the core team
came out of the NSA. They were actually hackers. They were actually going out and making sure that government systems are safe, but they were trained as hackers, and they built a product to find themselves.
And we brought that product from about 40 customers.
When we closed the deal to a year later, we had 1,200.
So from 40 to 1,200.
Later, we had 1,200.
So from 40 to 1,200.
So very exciting, but also fraught with a lot of challenges as you try and scale that so fast.
Again, a lot of great lessons learned.
Very exciting, a lot of fun, and a lot of work.
Now, I want to pause there. I mean, you just had, was that your, I mean, not to get too geeked out on sales execution, but that is a sales and
product execution miracle right there. You must have had an established channel that you were
able to just leverage to make that happen. We certainly had distribution channels through
partners. We also had, I think, a relatively well-tuned sales process at the time. And when
we put the carbon black product into it, it really
popped because there was such a great product market fit and we had the sales distribution.
One of the things I always say to other CEOs and other sales leaders is, again, you'll recognize
this, is that a lot of times you look at the pedigree of an individual or of a team who have had the
good fortune of being in spots where the product market fit is so strong and not to take anything
away from the salespeople, but you say, oh my God, they must be unbelievable sellers.
My experience from my own career is that the times when I was selling products that were a little tougher on the product market fit, maybe they weren't a must-have.
They were still a nice-to-have.
Maybe there wasn't actually budget dollars set aside yet for that category because it was a new category.
Those situations on the go-to-market side, you had to do every single thing right on the sales process.
And if you missed one thing, you lost the deal.
And so that was us at Bit9. And then you take the Carbon Black product in, you put it into the
channel and into our go-to-market channel, and boom, it really took off. Again, a credit to our
sellers and also a credit to the product team who, the Carbon Black team built a great product.
But then we had, as a combined team,
we had to scale the heck out of that product. Yeah. It's an amazing, amazing story. And I'll
keep us moving along, but I want to just get to two other phases of the company. You got to an IPO
and maybe we start there. IPO, I think around 2018. Yep. Had the good fortune to bring the company public in 2018. And
a nice milestone for any company. My core belief is that, and you can especially see it in today's
world, that an IPO is just another funding event. And as you know, you could say, okay,
you can get as much in the private markets as you can from the public markets today. So you could make a decision to say, I don't want to be
public. I'm going to stay private and I'm just going to raise that exact same amount of money.
Maybe I'm even going to raise more. At the time, we made the decision to bring the company public
to access public capital markets as opposed to private capital markets. It was an amazing
milestone. And it is for every company because in essence, in some ways, it's a little bit of a coming
out party.
And it really does help your brand.
It had more of a brand impact than I gave it credit for.
And if you're passionate about the company you're running and you love the company you're
running and what you're trying to do to help your customers out there, bring in a company.
Public's awesome. There's some challenges with it, having to hit the quarters after that,
et cetera. Make sure you do what you say you're going to do. But it was an awesome experience.
At that point, I had been at the company 11 or 12 years. So it would have been a long run. And I was
very proud of what we had built. I'm still extremely proud of what we built.
Amazing. Yeah. I think given that proud of what we built. Amazing.
Yeah, I think given that Devo is a pre-IPO company,
I think I'll have many more reasons to give you a call
in the next coming years to hear even more about that.
I mean, as you said,
everything seems like a straight shot from the outside.
I assume even the IPO,
were there ever moments where it's like,
we're not going to make it,
their market's going to close,
or we might miss a month or a quarter?
I mean, did you ever have moments in that process where it's like, we're not going to make it. The market's going to close. Or we might miss a month or a quarter. I mean, did you ever have moments in that process where it was risky?
Or in the end, once you decided to go, you had the runway clear to get off?
At the time that we went, we were going through a transition.
So we had built this big data platform that was the backbone of what we did with our offering.
And we were transitioning that to 100% of the cloud.
To multi-tenant. We were already single tenant in the cloud to multi-tenant. So we're definitely
doing some stuff behind the scenes on the tech side. We made the decision. We knew we were going
to need money a year out. We made the decision to tap the public markets. And the actual process,
I had heard all sorts of different stories. My own experience on the actual process of bringing the company public was that once you're in the hopper and you start going down the path, the advisors that you use are so good at this that that part is actually relatively straightforward.
There's certainly a lot of stress around it, but relatively straightforward.
And it was for us.
a lot of stress around it, but relatively straightforward. And it was for us. Now,
of course, again, afterwards, you've just gone out and sold your stock to all these different companies and you need to live up to your expectations. So there's an additional level
of stress that comes with it, but the actual process, the mechanics of it were pretty
straightforward. Yeah. And did you like being a public company CEO? For the most part I did.
I really believe in what we were doing at the time, what the company
continues to do as part of VMware. Every meeting, we talked about our vision, which was a world safe
from cyber attacks. And I really believed in that. And there was some tough stuff along the way,
being a public company CEO. Some of the public company investors are highly educated. The majority are not, excuse me, highly educated on you as a company when they make the investment,
especially for an early IPO company.
They learn who you are over time.
It takes time.
I saw that progression.
I enjoyed the experience of doing that.
Amazing. A lot of other areas we could dive into here, but maybe we fast
forward to within about a year or so, you guys ended up selling the company to VMware. I'd love
to hear how that went and what was kind of the thinking there and how the journey was within
VMware. We brought the company public. We were going through a platform transition underneath the covers.
The market also was progressing really fast with some very strong and very capable competitors
like CrowdStrike out in the marketplace and Microsoft coming increasingly into the market.
And with the consolidation that we continue to all see in cyber, we had partnered with VMware for a couple of years.
And as you just said, we made the decision after a number of conversations with them about what we could do inside of a larger organization with broader access to markets. by being able to bring our cyber capabilities into the VMware platforms that we would see
acceleration. Every large vendor in the world has to have cyber capabilities built into their stack
one way or another. And so that was the core premise. That's why we ended up selling the
company at the end of 2019, I think.
The CEO at the time was Pat Gelsinger and sold the company to VMware and became essentially the security business unit within VMware.
Another experience, I'd been through that before a number of times, but never as the CEO.
Lots of twists and turns there.
Actually, more twists and turns, I think, in many cases on doing something like that than there is in the IPO process.
Again, you've got to make sure you're aligned on the mission and vision, you're aligned on the people, and then the numbers have to work.
Yeah, no, I agree.
It's complex.
I was, as you know, on the other side of that at IBM Security, and we'd acquired probably about 10 companies into IBM Security. And I have to say the hardest person to figure out what to do with is the CEO coming into a large organization like that.
So that's you in this particular case.
I'm sure for you it's very different, right?
You were by now 13, 14 years at running your own show, as it were, and responsible for everything.
It must have been a shock coming in and being, I mean, you were, I believe, a general manager of the cybersecurity business there.
Obviously, a lot of responsibility and a lot of autonomy, but still, you're now part of a much bigger thing.
That's right.
That pretty much summarizes it.
Being the CEO or the founder of a company and with a responsibility if you're running that company, one of the things that I was the most proud of was of the company, of what I was running. And again, I'm sure you
feel the exact same way. And what we were trying to do for our customers and how we were trying
to affect the world, being part of something else is equally powerful, that vision and mission of
what you're part of. But it is different. And in the end, I couldn't make the same decisions I was making when I was running the company. I would say, okay, we were doing this. We should do this
other thing now. And we're going to move resources in this way. And we're going to change our sales
compensation in this way. And we're going to do this and we're going to do that. And now suddenly
it was not just me and my team who were deciding. I had a large number of other constituents that I
had to go to, to build consensus with and why this made sense, because it might impact them,
other business units, it might impact compensation plans for other groups, et cetera.
So everything gets much harder and figuring that out and then figuring how to do it well,
it is a lot of effort.
I have never worked in a lot since early in my career, never worked in a large company as a senior leader.
And it's a different role.
Being a senior leader in a big company is a very different role than being the CEO.
Again, I'm sure you can actually, you know this better than I do.
Yeah, no, and I've kind of gone the different direction, right?
Going from a big IBM to this seat. So both directions are, you have to be very careful. And as you said, different level of control and autonomy and the two different roles for sure.
I want to ask you about it. I don't want to get too personal, Patrick,
but throughout all this,
you're also a father and a husband and the like.
I'm curious just to how you were able to maintain
semblance of balance throughout all of this,
if you'd be comfortable talking about that,
because I think it's insightful
for people trying to do these types of jobs.
We could do a whole session just on figuring that out.
During my time running the company,
one of my core beliefs is that we did not just go up into the right the company, one of my core beliefs is that we did not just go
up into the right. And so one of my core beliefs is you have to pick a mountain or a hill, use your
term, to climb to bring the team up. And I was always very focused on making sure that we knew
where we were going as a team, even if later on you make the decision to change that. That belief
on always making sure that we're kind of going up this hill and we're aligned on doing it, while it's simple to say it, in mind, it's all consuming.
It's all consuming to make sure, all right, are we doing the right things?
Are we climbing the right hill?
Are we doing all the things right? And so the balance on personal, for me, the balance was heavily weighted towards the work side, dramatically weighted towards the work side.
As I've joked with some of my friends since I'm no longer the CEO, I sleep like a baby.
And I didn't as the CEO.
I'd like to say I did, but I felt tremendous responsibility to make sure that we were achieving what we had committed to and that we were all climbing up the hill together.
For me, the only way I could do that is to have a partner, my wife, who really ran everything else in our life.
Because while I was certainly there and present, work was very consuming.
I don't know that I have any great hints there other than to say that one of the things I learned over the years was that building
more and more time into my day and in my weeks for thinking time, solo thinking time is really,
really important. And I didn't do enough of it early in my career.
Yeah. No, I think blocking the calendar for both thinking and the balance points is the key to survival.
So I think you're on to probably one of the most important things that I've certainly been trying to use,
as imperfect as I am at it as well, to your point.
And it feels weird, right?
It feels a little weird.
That's exactly what I used to do on my calendar.
Put a time twice a week where, okay, no meetings,
and I really just want to be able to take a step back and actually not do something,
but actually think, are we focused on the right things?
Are we doing the right things?
What am I worried about?
What do we have to do more of?
I don't know how you've made that adjustment, but it feels a little weird at first.
And then, at least for me, I found I looked forward to it.
Again, if I didn't blow it up with some critical meeting.
Yeah, I think we're in the same boat here
and on our efforts, I totally can relate.
So Patrick, I want to transition
maybe a little bit the conversation.
You've gotten into this during our discussion,
but I think with all of your experiences,
I'm sensing there's sort of a set of philosophies
that you apply.
And I thought maybe we could spend a few minutes
on as you step back now,
as you've transitioned out of VMware
or thinking about what you do next,
it seems you have a set of beliefs
that you bring to these roles.
And I'd love to kind of maybe walk through those
and sort of understand how you think of being a CEO
and how you think of being a CEO and how you think of being a
leader. Yeah, for sure. And a lot of these I built over years, some of them as CEO, some of them
before I was a CEO. Again, I believe that great leaders, great operators always build a set,
a framework or a set of beliefs on how they run their business.
Some people articulate those very clearly or need to have frameworks. I'm a framework guy.
I really like that. I have them for many, many parts of the way we ran the business.
I think that is so important. And I actually think saying what those are is really,
really important because it ensures that for me and for the team around me, we're aligned on, well, this is how I think about things.
And I have those for looking for your next role in a company.
I have those for how you lead as a senior leader, et cetera, I said this to the team all the time, seven core beliefs or philosophies on how
you build a great company. Seven. I want to hear the seven. I think people want to hear the seven,
given the track record and how you've applied them. I'd love to walk through those.
Well, the first is pretty straightforward. And most CEOs, founders, most people out there could
probably get out of
the seven, many of them, right. But the first one is you need an aligned vision and mission
on what you're trying to build, what you're trying to do. And it is surprising to me how
many companies out there may have that, but don't articulate it or may not even have it.
But usually most companies, especially early stage companies have it. And then many cases,
you kind of lose it after a while because, oh, isn't this just obvious, but having an aligned vision
and mission is really, really important. And for a couple of reasons, you know, the number one
reason is if you run a great company, you've got a lot of people who are making decisions every
single day about, should they go left or should they go right? If they truly understand what the
company's trying to accomplish, they won't always make the right decision, but they're going to make more right
decisions than wrong decisions because they understand what we're trying to do. So you have
to have an aligned vision and mission. And then the second thing you do is you have to be able to,
you have to say that. We started, we did monthly company meetings. And for years, the whole,
for most of the time I was at Garden Black, we started every single
meeting laying out what our vision and mission was. It sounds so simple and well, do you really
need to do that? And the answer is yeah, because you know what? Most of us, there's a lot of things
going on every day. And in the end, through osmosis, they would get it. My team would get it.
We would all get it. Everyone knew it in the company. So number one, aligned vision and mission.
My team would get it.
We would all get it.
Everyone knew it in the company.
So number one, aligned vision and mission.
When you're adding so many employees, I see that here as well.
I mean, you think you do a good job communicating something a year ago. And then a year later, you have one or 200 more employees that weren't there at that time when maybe you developed and announced that mission.
So you have to keep repeating it, right?
Yeah, that's right.
to keep repeating it, right? Yeah, that's right. And typically that vision and mission align with what's the value that you're going to offer to your customers out there in the
marketplace. So ours was a world safe from cyber attacks. You're aligning around what you as a
company are trying to create and what you're trying to do for the customer that you're giving
value to. That's number one. You got to do that and you got to hit it again and again and again.
Number two is it's all about the team. One of my core beliefs in tech, when I got into the tech
in the 80s, I saw my particular experience that I saw a lot of situations where you had the smartest
person in the room. And I thought, why? Maybe that's how tech companies get done. You've got
one person who kind of comes down from the mountain with, this is how we're going to do it.
And that's not true. And since then, obviously, I've read lots of stuff about this over the years.
And statistically speaking, better companies in general make better decisions when you have a
team helping to drive those decisions and pushing on it and debating it, et cetera.
So to me, great companies are built by great teams.
It's all about the people.
You have to make sure that you're surrounding yourself with great people.
That doesn't mean everyone's the same.
That's where I think diversity and inclusion comes in
because you want a different set of experiences.
You want people who think not the same as you,
again, so that you can debate and push on decisions.
But it all comes down to the team. You need well-functioning teams. There's a whole set
of things you got to do in order to make sure you're doing that well, but it's all about the
team. Yeah. And that applies not just as the CEO, but a VP building a team for a department. It's
the same rule. I will say something I didn't understand earlier in career, but the most
important team in the company is the senior team. If the senior team is not functioning as a team,
it all rolls down. I used to say it's kind of like the foundation. It's a reverse.
It's the foundation of the house and the senior team is kind of at the bottom. If that team's
wobbly, the whole house is wobbly. If that team is super solid and locked in,
it's not wobbly. And man, a lot of the other teams are going to be very solid as well.
Yeah. Couldn't agree more.
My third belief is, which probably the one everyone remembers the most, but I had a no
asshole rule. Yeah. I remember you told me about this years ago and I've always kept it in mind.
It's so eloquently stated, it's stuck in my mind. Yeah. And we've all seen it. And by the way,
just to be very clear, what does that mean? That means arrogance or hubris,
because we know that arrogance and hubris break the team. If we align on something as a team,
and then I walk out of the room and I do my own thing because I think I'm smarter than the rest
of the team, then I break the team. And there's nothing that hurts the ability to build a great company, a great team, than by
having an asshole on the team. And we have all seen this in different companies where we've been
at, where there'll be an individual or in some cases, a team where no one wants to deal with
them, with him or her or with that team.
And again, as I used to say, kind of jokingly, but those teams also tend to grow. It's like
rabbits. I mean, one day you have one person who's not a team player and the next thing you know,
next quarter, two quarters, you got a whole team of people. And so you got to get that out. And
the best way to do it is just to say it. We don't want that arrogance or that hubris in the company.
So that's number three.
Number four is run your own business.
If you think about how great teams run, and by the way, not just teams, all the way down
to individuals, they understand and believe that they're running their own business.
They're empowered to make decisions day in and day out
about how they should be running their business.
And they don't have to go to a supervisor,
to a manager, to someone else to say,
hey, is this okay what I'm doing?
No, they're running their own business.
Why is that so important and so fundamental
to building a great company?
If you have employees who are empowered
and believe that they're running their own business,
they're actually going to do much better work because they believe it's their own. Number two, every day when they get up, they're passionate about what they're doing. And from a retention standpoint, you're going to have much higher retention when you have employees and teams who all believe, rightfully so, that they're running their own business.
rightfully so, that they're running their own business. If you get up in the morning,
you do not understand why your job is so important to the company and why running your own business is so important. If you don't understand that, then your manager is failing you.
Yeah, I agree. And I'm reading the book by Frank Sloteman, the CEO of Snowflake,
and he says you want bus drivers, not bus passengers. And I think that's kind of what
you're getting at. People that are everyday get up and have a very clear sense that they
can run their business. Yeah, yeah, that's right. Belief number five is the easiest, the fastest way to
kind of break running your own business is the creation of friction inside of an organization,
especially as you scale, as you go from, as you said, Devo's going through tremendous growth.
We saw the same thing. All of that growth, all those new people coming on, it's easy to get friction.
And so I used to talk a lot about this idea of no friction.
And the easiest way to break friction is to over-communicate inside of an organization.
What I saw, what we've all seen is that as organizations scale or larger organizations
or even small organizations, that you'll have these situations
where you get two different teams or four different teams.
We all are trying to do the right thing and run our own business.
But my top three priorities, we all have too much to do.
I'm going to do these three things and they line up this way.
Your top three priorities are different than mine.
And so our priorities don't align.
And so then I go to you and say, hey, I need your help in order to get blah done. And you say, no, I'm not doing it. I can't do it.
And what I saw with friction was the biggest challenge is that we're all running so hard
that we don't take the time to over-communicate, to actually say, well, wait a minute,
actually have that conversation, pick up the phone, send an email that's not a get this done
or else, an email that says, let's talk about the situation. Because again, much of the time,
this is about aligning priorities and getting understanding. And so you have to break friction
down because friction builds up over time. Some of it, you got to revisit it and say, well,
this decision we made four years ago to do blah, it doesn't work anymore. We got to change it. So no friction. A method we've used here, it just really started about
six months ago, is the OKR process. Did you end up using OKRs? We did at the end. Yep. Yep. Yep.
And I love OKRs. I think they're simple, elegant. But many other things to do besides OKRs,
but I agree. It's a communication. And I'm listening to every one of these, you know,
giving myself a mental rating of where I am after just a year and a half here.
So it's very humbling. It's been the interview around and I could do a test at the end.
Yeah, no, no. Let's do that. Maybe I need a little more time for that, Patrick.
And then six is leadership is at every level in a company. I didn't come up with that phrase. I
read that somewhere in my career. I don't remember where, but I so believe it.
We are, great companies are looking for leaders.
One of the things I was so proud of at Carbon Black,
and again, I'm sure you're seeing this at Devo,
is promoting from within,
finding great people who are talented,
who are strong operating leaders,
who can really scale in an organization.
And leadership is not just about promoting people. It's not just people who are strong operating leaders, who can really scale in an organization. And leadership is not just about promoting people.
It's not just people who are managing.
There are many individual contributors inside of an organization who are great leaders.
They choose to say, I want to be an individual contributor, but I'm a great leader.
There are senior, senior people inside of companies who are not great leaders.
And not every senior leader is a great leader.
What is leadership? Well, if you think about those rules I just kind of walked you through,
leaders are the team members, the individuals who you go to for advice. They're the people that say
what they think. They're the people that understand what the team or what they are trying to do,
why what they do is so important. They embody everything I've just talked about.
If you have a lot of strong leaders
and the willingness to lead,
which means you can't be afraid of failure.
You got to embrace failure.
If you have people who want to lead, the sky's the limit.
Sky's the limit for what you can accomplish as a company.
Yeah, and I think a lot of people confuse
a title with a leadership capability and you see a huge difference among people who can really lead.
So I value that point immensely. It's critical. By saying it in the company, you open the door
for that, for people to step in and up into those leadership roles. And again, by leadership roles,
I don't mean I'm leading a team.
I mean leadership roles in the sense of I'm going to say what I think.
Again, I may be an engineer building blah inside the product, but I'm going to say what
I think in order to try and make us operate better, to break down friction, to have a
better team, to do all these things.
You want that in a company.
You want that kind of a culture that really is open to promoting
that idea of leadership across the company. Awesome. Awesome. So then what's the last one?
Well, the last one is, in essence, a little bit of where I started, which is, in the end,
it's all about the customer. We start with the customer, with our vision and mission,
and everything that
we do, everything I've just talked about is all about building a company, a business that's
creating some value, doing something of value for a customer. And we can never forget that.
And as we scaled, you start to see more and more of your employees who aren't necessarily
touching a customer. When you're small, everyone touches the customer all the time. But the whole reason we exist as a company, the whole reason Devo exists
as a company is because you have a set of customers who are putting their faith and their
trust in you, especially in cyber, where they're giving you money to say, okay, help make us safe.
And so we can never forget that you always do what's right for the customer because that's why
we exist.
They pay our bills. They give us the money. They put their trust in us every day. Every day,
they think Carbon Black is keeping them safe. Every day, they think Devo is keeping them safe. That is an immense responsibility. And for all of us inside of an organization, we have to
internalize the importance of that. I've heard you talk about these in pieces as you and I have met over the years, and I'm really happy that we captured all seven of them.
And I will be grading myself in private on them.
And we can, on a non-recorded line, discuss them even more because I think it's fantastic and it's for sure a journey.
So, Patrick, you're on a short break now.
What do we expect next from you?
Well, I've been saying to a lot of people,
I spent 30 plus years building muscle memory, if you will,
on what it takes to run companies and run teams.
And I love everything I've done.
And life's short.
And so I'm taking a year, 12 months,
to really think through what's next and also try to break some of the habits
of what I've built the last 35 years doing, which is, okay, this is what I do. I go,
I work this many hours a week. I run a company, I run a team. And I want to take a step back from
that and try and break some of those habits. A little bit back to the think time we talked about
just to get some time to think and figure out what's next on the
journey. And so that's what I'm doing. All right. Awesome. Mike, it's a great place to
close things out on. Patrick, thank you so much for joining us on Cyber CEOs Decoded.
Thanks, Mark. Thanks so much for having me. And thank you to our audience for listening today.
Be sure to join us for our next episode of Cyber CEOs Decoded.