Archive

Posts Tagged ‘cyber security’

You Didn’t Have To Provide A Plan To The Board?

January 20th, 2017 Comments off

BUDGETOne of the benefits and enjoyments I get from updating my blog are the questions that I typically received from people asking for certain clarifications. This comes as no surprise since the original intent of my blog was to bring a little more transparency into how the Finance department operates relative to every other functional area in the company and what might be driving the actions or decisions of the Finance department.
With that said, I received a follow-up yesterday on the update I wrote on planning within a hyper growth environment. One of the main messages in yesterday’s post was that you really can’t plan, or at least effectively, in a hyper growth environment. With that message I was asked how the Board would accept that an operating plan wouldn’t be presented to them for the year. I have to say I was a bit amused at the question, but completely understood why it was asked. Not to mention, the Board would never allow such a hall pass from any team. There is ALWAYS an operating plan that is highly thought out, detail oriented, and usually has a number of additional scenarios that will convey what the impacts will be to cash and profitability if targets are missed or exceeded. For ballpark references, you might have the base scenario, as well as a +20% and a (20%) view. For a more mature company these ranges will obviously be tightened up when you have a higher degree of predicability and more history to base the plan off of. When you’re really just a handful of Quarters into a trajectory, which you are anticipating to double, and the trajectory starts looking like a 6-8x, then you have an entirely different beast to deal with.
So how do you plan for such a scenario? Again, as I mentioned yesterday, you really don’t “plan” for it, but you react to it and adjust the allocation of resources to support that new growth trajectory. As with any business, you have key indicators you look to gauge the health of the business and whether you are tracking to achieve the commitment made to the Board. The elements below are certainly not all inclusive, but are merely a sampling of the items that could be watched when encounter a growth rate that is entirely unplanned.
Billings & Revenues: While this is the key driver on which all spending decisions are made, the total number is not the overriding driver. There’s further review that should be done on the quality of that revenue, what the concentration is, and whether there are any key areas that are potentially missing against Plan. In the case of Cylance, we were constantly watching what our price per endpoint (PPN) was at every level. What that PPN was at a macro level, a channel level, a vertical level, as well as what they were for the duration of a deal. Looking to this number would indicate what the true health of the business was. Was there a single customer that accounted for a disproportionate share of the Quarter business, which in turn, might prompt a tapping of the brakes to ensure that hiring and spend weren’t getting ahead of themselves relative to the Plan and a normalized trajectory. Prudence should always reign supreme.
Gross Margin. Definitely a key indicator, but it also depends on what the structure of the billings are and how the terms being written may be influencing GAAP-based reporting. For a situation where multi-year deals are being done, it might be best to look at early results on a non-GAAP basis if a disproportionate amount of the activity is headed for the balance sheet as deferred income.
Headcount. For me, this was one of the key indicators as it related to our burn and this is certainly not just a single macro number, but a more complex element to dive into. First, what is the overall cost per head and what is the trend line on that figure? Are you’re costs per head staying constant or are you seeing an increase in that number, which might be tied to incentive plans that aren’t aligned with results, increasing benefit costs, or all of the above? Second, what are the average billings and revenues per employee? While the overall headcount might be increasing, this number should also be increasing with the results that are being achieved in excess of plan. It’s not a problem increasing headcount over the Plan, so long are you are seeing the achievement or increase in this planned metric. Third, what is the distribution of the headcount by functional area? Did the original Plan call for 12% within the Marketing area and now the revised number puts Marketing at 18% of the headcount? Is there a disproportionate growth in any one area because that functional area has successfully lobbied for additional staff that is not consistent with industry norms?
Facilities. This area is obviously heavily influenced by the increased headcount that is occurring to accommodate the unplanned growth. If historically Rent expense has been 2% of your operating expenses then this is the approximate metric that needs to be followed in order to stay consistent with the Plan. If you’re exceeding Plan and need more staff then this number, while increasing on a constant dollar basis, should still remain at approximately 2%. As an example, you’re planning a $25M year, which would allow for approximately $500k in rent expense. If the new trajectory is now $100M, then theoretically you would have $2M to spend on rent to accommodate the additional headcount needed to support that growth. Ideally you also start achieving economies of scale where you can actually see that number go down as a percentage of spend. If you fail to miss you billings number, hire all the folks, commit to even more rent expense…then you’re going to find yourself in a bit of bind. It’s akin to “I’m going to get a big raise next year so I’m going to buy my second home and a new car for my wife and I…”. And when it doesn’t happen?
Systems. This is another area that needs to be heavily strategized and managed in a hyper growth environment. There will be unplanned upgrades that will necessitate spending in the $500k-$1M range that, while necessary for growth, were previously balked at due to their cost and the original trajectory you thought you would be on. You might have thought you had another year…or two…to bring them online, but now seeing a 6x freight train coming at you there is no other choice than to starting throwing a ton more coal on that fire and get up to speed.
Culture. We’ll discuss this in another post…or posts.
This barely scratches the surface of “planning” in a hyper growth environment. It’s more about regulating the health of the patient, making sure the vital signs are remaining healthy, keeping your finger on the pulse and knowing how to respond. It’s the doctor that has decades of experience, treats every patient the same, only to realize he has misdiagnosed the patient and either administered the wrong medications…or too many. It’s about collaborating with the broader team in making key assessments, discussing with the team their needs, and ensuring that the resources (MONEY) are properly allocated and within the range of the original Plan that was discussed.
Thanks for reading…

Jeffrey Ishmael

Off To The Races & Billion Dollar Valuations…

December 13th, 2016 Comments off

With the original Cylance team established in July of 2012, the orchestra came together and at that time there as a unified vision to transform the security market and change the way that corporations were thinking about their security infrastructure. We were less than a dozen people working in the living room and bedrooms with a goal of security transformation, and in the eyes of our founder, achieving a billion dollar valuation inside of 4-5 years. When you’re starting on fold-up tables there is no blue print to getting there…only a bit of a dream. However, that’s exactly what the team was doing in those early weeks and few months…creating the blueprint on white boards and oversized post-it notes. The team was sparring on a daily basis on what approach would achieve the best commercial results. It was all about specifically identifying the value proposition behind the vision of the tech that had been decided. While we were not trying to build a new company in a high growth sector, we knew the security sector was dominated by dinosaurs and there was billions in revenue that were ripe for disruption. Cylance was going to be the disrupting force in the equation and that exactly what the team was focused and unified on accomplishing.
We also knew that we could accomplish the goal while being very surgical in our spend and that our success would be based on a breakthrough tech and not spending tens of millions on advertising campaigns, spending ridiculous amount early on trade shows, non-value add events, as well as keeping our hiring cadence under strict control. The company cash burn was extremely minimal in the early stages and it was nearly 18-months before the company received its second round of investment in February of 2014. As we continued to bolster our headcount, invest in the Services team, and gradually moved into new offices, the original $15M investment lasted that first 18-months. Again, we were extremely surgical in our spend and spent every dollar like it was our last dollar. A philosophy that managed to last the better part of almost 4-years…
While the Research team was focused on developing the product there were a host of other operational issues to address as we started to grow as a company and would need a foundation for the first few years. First on the list was to find commercial space as we would definitely need to move out of the house. While a remodel was imminent, we were also working in a space where there were water leaks, open beams with exposed nails, and all the other fun elements of a home start-up! You can imagine the response received when you’re trying to meet with The Irvine Company on a commercial lease, as a new company, no revenue, and you want to sign a 5-year lease and then have them pick up all the buildout and incorporate into the lease rate so as to minimize any immediate cash burn. On top of that…and as a start-up…you’re also asking them to have certain restrictions on competitors worked into the lease as well. Suffice to say that we had a pretty weak position and it took more than a few meetings to get them to buy into our vision and the growth we were looking at achieving. At that stage, it was a huge accomplishment to get our lease signed with The Irvine Company, in a premier location, with building top signage on both sides….and all with a minimal security deposit. Score one for Cylance!
Even with our new lease, we kept our spend to prudent levels that were consistent with our philosophy. Rather than spend six-figure amounts on furniture, we committed to a new entry level offering from Steelcase that could easily be added to as we grew…but not before staying on fold up tables for many months before getting into our new space. We all tended to joke that fold-up tables had become part of the Cylance DNA.
Next on the list was our corporate insurance portfolio. Rewind to the start-up that had no revenues, still had less than a few dozen employees, had actually been turned down by Marsh for being “too small”, but seeking coverage in the low 7-figures. I looked to a prior relationship and again found a partner that believed in our vision as well. Fast forward a few months later and securing our first few customers and we were already going back to ask for additional increases in coverage to the mid-seven figure range. This drill continued on almost a quarterly basis until a final larger customer pushed the coverage limit again…to a point that exceeded our billings on even a cumulative basis. Again, transparency and strength in our relationship got the coverage in place. While there was certainly some raised eyebrows, they believed in Cylance and continue to realize the benefits of the relationship, which now extends on a global basis. Again, it came down to relationships, communication, and a mutual respect on both sides to manage the expectations on such a hyper growth path.
Marketing? The first few shows were an absolute kick to plan being the new kid on the block. Our burn was primarily aimed at headcount support, but we also knew we needed to start getting the Cylance name out there. For the first few RSA and Blackhat shows we had the luxury of being an unknown and used it to our full advantage as the team rolled out a full guerrilla assault on the show. With everything from custom napkins dropped in bars, to rented suites to meet with potential customers, to other similar means, we made a huge impact in those early days and clearly got the Cylance name out there. Not immediately recognized post-show, but we established the open ended question of “Cylance?”. We were clearly on the radar at that point…and already starting to create discomfort with our competitors.
At this point, there was still a unified team, all engaged in the same direction, and we knew the end play we were headed for. We knew we were going to be able to achieve our objectives without putting excessive spend in place. What I appreciated at this point, which was similar to the philosophy we had in place at DC, was that we were operating in a brand first capacity. There were no decisions made in the best interests of a person, department, or other agenda…it was all about Cylance. With this philosophy politics were still being avoided and there were no silos in place. We all bled green. Along with this approach was the continued prudence in spend throughout every level in the organization. We were pacing well, the product was coming along, and all indications was that once product was commercialized in 2014 we were going to start eating our competitors lunch. What our competitors didn’t hear was the increasing sound of the Cylance war drums and their sunset turning a bright shade of green…
Thanks for reading.
Jeffrey Ishmael

Is Your Corporate Security Worth The Cost of a Monthly Latte?

February 18th, 2015 Comments off

I’ve had the opportunity to work with some incredibly sharp Finance folks, many of whom are able to deliver on their budgeted results regardless of what curveballs are thrown at them. Some are able to effectively deal with shades of grey while exhibiting a focus on what is best for the company. Others are rigid, run the company with an iron fist, and if not budgeted….it’s not going to be spent…no matter what. It’s the latter approach that I have seen quite often recently and it leaves me scratching my head as to the flawed logic that drives their actions.

As you can imagine, I’ve had the opportunity to watch our team deal with some of the most serious breaches, which are usually reported across most newswires. Breaches that could have easily been prevented, but are now going to cost companies a significant amount to repair, as well as have to rebuild their reputational goodwill with customers…or in some cases, spend more to offset the loss of critical IP.  In the midst of these breaches, I’ve seen companies argue whose budget will carry the cost of the response because it wasn’t part of the original plan. They sit and quibble about the lack of Budget dollars in the face of a breach where millions of records have been released or critical IP has been compromised.

Let’s back up though to a point in time prior to the breach. The Cylance team goes in and walks through our technology and displays its absolute effectiveness to the prospective customer. It is all too clear that our solution crushes the traditional antivirus “solution” and would either protect them from malware that has hit their competitors, or in the most optimal display, would have prevented the breach that had just occurred. They’re also shown the efficiency in which our platform operates and places a CPU load in the low single digits, which again, is at the opposite end of the traditional antivirus spectrum that typically has the CPU redlined under an attack. Let’s not even talk about the additional cost of incident response that have to be carried in the event of a breach, which is often in the range of $400-500/hr depending on the seriousness. Don’t like paying legal fees for frivolous actions? Try paying those fees when you know they could have been avoided for the cost of a latte…

As simple as this sounds, it really does come down to the cost of a latte…and this is no joke. Companies cater business lunches for “working meetings”, companies tend to get a bit loose in the wallet for other “business events”, but there is also the retort of “we don’t have any open spend for this area…”. So let me rephrase what you just said:  Are you saying that you don’t have any open spend equivalent to the cost of a coffee for each endpoint in your enterprise to ensure the security of your employee records, customer records, and critical intellectual property?

While I certainly don’t like surprises or unplanned spend, we are certainly operating in different times and need to be able to adequately protect the data and prior investments we’ve been entrusted with. It used to be a failed ERP implementation that might cost a CFO or CIO their job, but now it will likely be ineffective security spend and ineffective deployment that will cost jobs. When the situation has the absolute ability to effect revenues and jeopardize key data…the CFO has to be involved and do what is best for the business. Perhaps that’s something to consider when you’re sipping that latte during your transitional networking meetings…

Thanks for reading.

Jeffrey Ishmael

CFO’s & Cyber Risk: Protecting Your Performance…& Shareholders

May 2nd, 2014 Comments off

As a CFO, I can’t help but be a bit shocked at the recent article on CFO.com “CFO’s Disregarding Cyber Risks”.  In my position, and more in relation to my past positions, my involvement with IT-related activities typically centered on the ongoing assessments of our ERP platforms, annual budgets, necessary capex, and the standard operational issues. I can honestly say that cyber risks were really not part of our ongoing concerns, nor was the topic ever tabled by the rest of the senior leadership team or the Board. We also weren’t planning in an environment where billion dollar breaches were being reported in the press.

Fast forward a few years and it’s hard not to take note, and initiate an elevated level of planning, in the face of the Target breach that occurred just prior to the Holiday shopping season. I don’t care what industry you work in, any CFO should take note of a company which, in a single Quarter, revises their earnings estimates down by 25%, or approximately $250 million. How about a revision in revenue estimates that takes the topline down by almost $1 billion….in a single Quarter! Even more importantly, at the time of the revisions, the company was unable to assess the potential impact of the breach beyond the current Quarter. That event by itself should have every CFO looking over their shoulder and considering the proverbial “what if”. Evidently not…

In the recent article on CFO.com, which drew 600 responses, CFO’s ranked data privacy only 12th on their list of corporate risks. In comparison, data privacy ranked 26th on their list in 2013. While the level of importance is rising, it’s still not being given the proper level of attention. At the top of their list was legal and regulatory shifts. In hindsight, I would love to have someone provide me an example where legal or regulatory changes resulted in an immediate and material revision to earnings or revenues. These are typically changes that are discussed over extended periods and phased in, thus allowing the company and shareholders to digest the resulting changes in how the company reports its results. This is in stark contrast to waking up and realizing you’ve just compromised the privacy for 70 million of your customers in the most critical shopping time of the year.

What was also concerning about the article is that 57% of the respondents weren’t analyzing whether they had enough cyber insurance coverage or weren’t undertaking additional key activities to sufficiently mitigate the risk of cyber risk. This was not only happening at the senior leadership level, but at the Board level as well. While the public and general investing community is aware of the breaches that are reported in the press, I know I have taken an entirely different approach to my personal cyber security as a result of the work I see our team doing across a wide spectrum of industries and with companies that are very recognizable to us all.

As a CFO, if you want to ensure that all of your costs saving initiatives and EBIT performance aren’t compromised, the investment in a security solution will pale in comparison if you do encounter a significant breach…

Thanks for reading…

Jeffrey Ishmael

Cylance, Inc. Launches & Comes Out of Stealth Mode…!

February 13th, 2013 Comments off

Cylance, Inc. today formally announced $15 million in funding from Khosla Ventures and Fairhaven Capital, along with the Board of Directors and Advisors that have been put in place to help guide the company for the years ahead. While this day is merely the culmination of months of hard work by a team I have come to admire over the last 7-months, it still feels fantastic to take a day and celebrate the accomplishments of the team and what we have to look forward to. The full details of the press release can be found on our website at www.cylance.com .

A bigger affirmation for the mission and future of this company are the backers and advisors that have come on board. Khosla Ventures was founded by Vinod Khosla in 2004 where he was formerly a General Partner at Kleiner Perkins, as well as a co-founder of Sun Microsystems. Fairhaven Capital is a venture capital firm focused on themes in the enterprise, physical technologies, media infrastructure, and security markets. Both are neither strangers to technology, nor are they a stranger to the talent and abilities of Stuart McClure, the founder of Cylance.

In addition to the funding, Stuart has been able to assemble an incredibly high caliber Board of Directors and Advisors with additions that include Patrick Heim, former Kaiser Permanente CSO and now Chief Trust Officer at Salesforce.com, Admiral William J. Fallon, U.S. Navy (Retired) former Commander, U.S. Central and U.S. Pacific Commands, and Alex Doll, former co-founder and COO of PGP who sold to Symantec in 2010, who will guide the Company to achieve its goals. With this Board pedigree, Cylance has a deep and diverse team to help guide the Company. An equally talented Board of Advisors brings together a diverse group of experts to solve the complex security problems that the industry currently faces. Advisors include: Paul Forney (Invensys), David Willson (Army/NSA), Shane Shook (KPMG/PwC), Robert Bigman (CIA), Stewart Baker (Steptoe/NSA), Alex Nazaruk (GetCo), Michael Rauchman (GetCo), Eric Culp (formerly of ESRI), and Joseph Gabbert (formerly of McAfee and EMC).

The team here at Cylance has an incredible opportunity, and a fantastic level of support to carry out the mission at hand. As I’ve written in previous posts, it’s all about delivering on what you promise and driving high levels of performance. With the team and backing that has been assembled, this is merely the first step. There’s more to come, but it feels great to formally step out from behind the curtain and share more detail about what has been assembled for the future.

Thanks for reading…

Jeffrey Ishmael

On The Path of Acquisitions & Vulnerabilities…

January 17th, 2013 Comments off

While I tend to have a bit more fun writing on the topic of Finance and corporate financial performance, I can’t help but take another opportunity to brag about the fantastic organization that has been assembled here at Cylance and additional accomplishments that we’ve announced today.

Stuart McClure, Cylance Founder, has a tremendous talent for identifying advanced technology and great people, which is what led us to the acquisition of SpearPoint Security Services. SpearPoint primarily assists businesses protect industrial control systems. In a further affirmation of their talent, the two founders of SpearPoint, Billy Rios and Terry McCorkle, were just recognized for a vulnerability discovered in a Philips medical x-ray machine, which subsequently gave them access to additional peripheral information. The find is now further affirmed with the involvement of the FDA.

I’ve also previously stated that I work with some scary brilliant folks. Now we can add Eric Cornelius to that mix, who just stepped down as Deputy Director and Chief Technical Analyst with the Department of Homeland Security’s Control Systems Security Program. Additionally, we’ve hired Glenn Chisholm as our CISO, who was the former CISO for Telstra Corp, an Australian telecommunications supplier. While I’ve always said “Finance is Fun”, working with such a tremendous talent pool has really changed the game.

Although it’s only been a week or so since we stepped out from behind the curtain to announce other developments, it’s back to stealth mode and back behind the curtain. Already looking forward to future announcements we’ll be sharing.

Thanks for reading…

Jeffrey Ishmael

Cyber & Network Security: “I See Said The Blind Man…”

October 31st, 2012 Comments off

After joining my latest company, I’ve found myself exposed to a group of brilliant individuals who have a laser focused fascination for cyber security and every subtlety tied to it. For those that know my background, the natural question is how did I get pulled into this one? After my tours of duty with Quiksilver & DC Shoes, Schneider Electric, Pacific Sunwear, and investment banking, the security industry is a bit out of my realm. But then again, I wasn’t brought in for my security expertise, but for my ability to drive financial performance and create a foundation for the rest of this group to prosper.

However, it has been eye opening experience working with this group. Although all the companies I’ve worked with had extensive IT departments, as well as a focus on “network security”, this is a whole different level. Literally, on my first day with this team, I took immediate actions to tighten down my own personal information after reading a few articles that were forwarded to me. One article in particular discussed a journalist who literally had his identity wiped clean, including family pictures kept online, after his accounts were hacked. Unbelievable.

The more noticeable hindsight to me as I was discussing other companies with our team is that I don’t recall EVER receiving an email where the file was password protected. Now keep in mind that I’ve worked for a number of different public companies, as well as equity research at an investment bank, and I have NEVER received a password encrypted file. Maybe a password so I couldn’t alter the structure, but not to actually open the file. Even in my own previous approach, my idea of “locking things down” was to send any forecast or financial info out in PDF so it couldn’t be modified. I’m pretty much chuckling at that approach now in comparison to what the daily MO is here.

What is even more interesting is the approach that most corporate IT departments are taking with regards to internet access, the opening of unfamiliar links, the lack of ongoing security training, and the relative absence of putting any significant effort into this area. Most companies may not offer that much for a targeted attack, but the subsequent cost and loss of productivity is an entirely different matter. I know I’m looking forward to the continued immersion & learning about this industry. For myself, the obvious phrase that came to mind was “I see said the blind man…”, but I think I’m still relatively blind on the security front.

Thanks for reading…

Jeffrey Ishmael