How to build a security firm
in three not-so-easy lessons

petersen-sliderBy Robb Reck

I

n March I began my quest to interview some of the most interesting folks in the Colorado security community. The goal of this series is to explore some different perspectives on security in the region, and have some fun doing it. The first installment was an interview with information lawyer Dave Navetta.

This time I had the pleasure of sitting down with Chris Petersen, CTO and co-founder of LogRhythm. For those unfamiliar with it, LogRhythm is an independent security intelligence company. They are one of the heavy hitters in the continuously growing security information and event management (SIEM) field. Any serious conversation about the SIEM field will include them. All that, and they are based right in our backyard.

I chose to reach out to Chris Petersen to get the perspective of someone who started with just an idea and some development skills, and turned those into a market-leading security organization. Over the last few months, I’ve asked some local security folks what they’re interested in. One of the topics that kept coming back to me was, “How do I go from my good ideas to a product that generates value?” My hope is that Chris can shed some light on that question.

I worked through a contact I have at LogRhythm (thanks Jim!) to get in touch with Chris and set up a time to get together. On April 8th I made the trek to Boulder for the meeting at the LogRhythm headquarters. The facility is a fairly standard building from the outside, but inside it has all the trappings of a growing tech company. Way too many people crammed into too small a space, foosball, ping pong and free sodas were expected. The roll-up doors that make for a great BBQ setup were unique and very fun. Chris and I settled down in a conference room and spent about an hour chatting.

My questions are indicated in bold, with Chris’s responses paraphrased below.

Chris, to start us off, would you tell me your story? How did you end up starting LogRhythm?

After college I worked for PricewaterhouseCoopers (PwC) doing IT audit. While there, I came into contact with their security services practice; the teams that got to do interesting things like break into banks for ethical hacks. That practice piqued my interest, and I decided to move into that area.

It was at PwC that I started developing tools to help with these assessments. Specifically, I created tools to help with the security assessments, database audits and an early GRC tool (Governance, Risk Management and Compliance). The creation of that GRC tool got the attention of Ernst and Young, and they recruited me and my boss, and we went there to build out their national security practice. There I developed the software tools to help deliver their services, and was able to help build one of the first managed vulnerability services, which we offered to our customers.

A Qualys type tool?

Yes, similar. At Ernst and Young I really had the opportunity to hone and improve on my development skills.

Where did you learn to code? Were you trained in school?

No, I mostly just picked it up. I taught myself how to code in order to solve problems. From automating assessment tasks to creating that early GRC system, I created ways to do my job more efficiently.

While at Ernst and Young I built a 10-person development team. After that I went to Counterpane, Bruce Schneier’s company. They were one of the first MSSPs (Managed Security Service Provider), located out in Silicon Valley. I moved out to San Jose to help CounterPane develop their MSSP backend, which was essentially a SIEM.

I had always wanted to be an entrepreneur, and after CounterPane I evaluated whether I was ready to do that yet. I decided that while I had successfully proven that I could develop meaningful products, I didn’t yet know how to take a product to market. So before I would start my own company, I wanted to get experience with things like pricing, packaging, marketing and selling a product. So I sought a position in product marketing.

I landed a position with Enterasys Networks as the Product Marketing Manager for their Dragon IDS product.

That was a pretty big job change, isn’t it?

Yes, absolutely. But it was very good. I have always looked at myself as the CEO of Chris Petersen Inc. I saw this as an opportunity to help round out my organization, and get those skills I needed in order to accomplish the goal of entrepreneurship.

I worked at Enterasys for a couple of years, getting the experience I needed, and felt that I was ready to start my own company. However, it wasn’t easy to make that jump, to strike out on my own.

In 2001, about a year after I joined, Enterasys ran into problems, specifically an SEC probe. Over the next 12 months we lost quite a few people and experienced multiple rounds of layoffs. It was a tough time. One morning on the way to work I prayed that God would give me the courage to move on and start my own company. That same day I got laid off.

Wow. Is that a sign or what?

So yeah, I guess I would take that as a sign. After that, I headed out to Colorado to clear my head a bit. While there at Steamboat, I met up with Phil Villella, who was working on his PhD in Physics. He was creating algorithms to help determine interesting things, like whether a missile in a silo would go boom after sitting there for 20 years. So he had a skill set to find interesting facts from massive amounts of data. That’s where our paths crossed. I shared some of my ideas for analyzing data from systems like firewalls and intrusion detection systems, and he brought his expertise in teasing out actionable data.

Phil Villella

Chief Scientist & Founder
Phil Villella

We ended up spending three weeks at my place in DC, determining whether there was a real product there in our ideas. We sat at my kitchen table creating prototypes, testing if we could use authentication data to identify a compromised account. We were trying to look at the data in a different way to eliminate false negatives (missing real security incidents). In the end we proved that we could do it. And we decided this concept had real value.

Then we had a decision to make. Is this a technology that we would license to other companies, like the ArcSights of the world? Or would this turn out to be its own company? What we realized is that even if we built the algorithms, nobody was really doing SIEM right. So to really achieve our vision, we needed to reinvent SIEM and do it right.

Once we decided that, we went all in. I sold my house, netting about $100,000, and we pooled our resources to live on for the next couple of years. We rented a house together so we could bootstrap the business and get a product to market. Rather than seeking out venture capital early on, we decided to put our time and focus into building a great product and finding some customers.

At about that same time, in early 2004, we decided to move back to Boulder, so we’d be living where we wanted to be in the long-term. Colorado was close to our families, and it is where I wanted to settle down and start my own family.

Through these years we were living as cheap as possible. We drank a lot of Miller Lite, ate bone-in chicken thighs and beans and rice. We really kept all expenses as low as possible.

Miller Lite, huh?

We do like good beer, but it just wasn’t in the budget.

No sales at this point, right?

No, we were mostly just working on the product at this point. After about two years exclusively focused on development we knew we needed to focus on other aspects of the business. While Phil continued to focus solely on product development, I began working on other areas including creating marketing collateral, making cold calls. In this timeframe we attended our first trade show to drum up leads.

Is that where you got the first sale?

No. At about that same time a friend of mine was working at Wall Street On Demand in Boulder. He made an introduction to the IT team there that was looking into log management. In May of 2005 they became our first customer. That was good timing — they wrote us a check for $40,000 for a software license, and by then, all of our money was gone. I had begun putting things on my personal credit cards. There was no more money in the bank and we were getting pretty nervous.

Andy Grolnick

President & CEO Andy Grolnick

Shortly after getting our first and second sales, I met an executive through my USTA tennis team, Andy Grolnick. He was a blue chip. He had been supporting some entrepreneurial incubator programs and doing general consulting for start-ups. He had been the general manager for the Iomega Zip Drive. He was definitely someone who had “been there, done that.” That’s a hard thing to find in Boulder.

At the same time, we saw the competitive landscape changing. There were new competitors emerging, and many of them were very well funded. They were going to market with a very similar story as ours, but they were doing it with a bigger team, and a lot more money. We decided that in order to compete we needed to bring in a CEO who could help us get funding and allow Phil and me to focus on product.

So we started to recruit Andy to LogRhythm. He took a deep look, and we were able to convince him to join us in September of 2005.

So now LogRhythm has employee number three?

Yes, exactly.

We were very careful about who we brought in to invest. All three of us were in violent agreement about what we wanted to make the company into. We wanted to build a company where:

  • We and others would enjoy coming to work
  • Innovation is highly valued
  • Customer success and satisfaction is a focus
  • We could control our own destiny

Our focus on those goals from an early point was critical. It led us to put off getting funding longer than usual; get more customers before we took funds, which ultimately allowed us more flexibility to pick the right kind of investors. Those who shared our vision for the kind of company we wanted to build.

It sounds like there’s some advice for the would-be entrepreneur there.

Absolutely. Be very careful about who you bring in as an investor. Those people will be the ones sitting around the board table with you, deciding the future of your company. You want to be sure that they will be a good partner. Be careful who you do business with.

So you took capital. What did you do with that money?

We used it to grow quickly, and it paid off. We had an annual growth rate (CAGR, for the financial types) greater than 100% from 2007 to 2011 and have continued to see accelerated growth well ahead of the rapidly growing security market.

As you look back on the LogRhythm story, what do you think were your biggest challenges?

I had to be willing to invest all of my savings, with the full knowledge that I could very well lose all of it. And I had to be okay with that.

The first big challenge was simply making that total commitment to doing this. With an effort like starting a company, you can’t stick one toe into the water. I had to be willing to invest all of my savings, with the full knowledge that I could very well lose all of it. And I had to be okay with that.

That said, those first years were also among the most fun. Bootstrapping and creating a product was great. But underlying all of that there was always uncertainty. Will this really work? Will the money hold out?

The second biggest challenge was the decision to give up some control of my company. This is one area where a lot of entrepreneurs fail. It’s hard to bring in someone else to be the CEO of the company you founded. However, it was clear for us that it was the right thing to do. If we hadn't brought in someone else to be the CEO I could have strangled the vision of my company by holding on too tight.

Okay, changing topics on you. For those reading this and looking to get into the security field, what are the skills that you’re always looking to hire?

Software engineering and architecture is always in demand.

General security professionals. Threat detection, security analytics, incident response, forensics, and intrusion detection.

Finally, in our labs area, we’re always looking for experts in malware research, APT research, and general cybercrime knowledge.

One last question for you. What is the biggest mistake you see CISOs and other security leaders making?

There is still too much of a bias toward preventative security controls. While prevention is important, we should be focusing much more on monitoring and incident response so that we are aware when prevention has failed and can respond to it. Unfortunately we operate in a world where it’s not “if” a company will be breached, but rather “when.”

♦ ♦ ♦        ♦ ♦ ♦ ♦        ♦ ♦ ♦

Thanks so much to Chris for taking the time to share his experiences. It was really fun for me to hear the story of how he identified a need, found a great team, and eventually built one of Colorado’s best companies. I hope it was fun for you guys to get to ride along with me. If you have thoughts on other Colorado security individuals (or types of individuals) you’d like me to speak with, drop me a line and I’ll see what I can do.

Connect with

Share