Julian: Hey everyone. Thank you so much for joining the Behind Company Lines podcast. Today we have Chris Kirsch, co-founder and CEO at runZero, a company he founded with Metasploit creator HD Moore to help companies solve their asset inventory challenges. Chris, thank you so much for joining the episode and taking the time.

I'm excited to chat with you in particular about not only your experience, but. Kind of what, what the technology is that you're building and around the, the different challenges you're facing or, or other companies are facing that, that you solve or that, you know, runZero solves, but also interested in the, the, you know, structure of, of how you build.

Cause I think it's really illuminating you know, how, how companies kind of focus on building their products around either, you know, their clients, their customers, their market, the product the, the feedback they get. So, really excited to dive into all that. But before we get into. What were you doing before you started runZero?

Chris: Yeah. Thanks for having me. So, I have pretty much always been in cybersecurity for my professional life. I mean, I. You know, before my professional life, I, I studied political science and those kind of things. I actually was a graphic designer in my very first job, but for now, pretty much 25 years or so, I've I've worked in cybersecurity and it started out in, back in Germany.

I was friends with a few people who were. Spinning out a software company a security software company from a consulting company. Yes. And they, you know, took me on board. I was employee number three, which was fund, which meant I was doing everything that wasn't coding and . And yeah, we built the company.

We sold it once our acquirer went, went bankrupt. We bought out the assets again, sold it again a second time, and that was to PGP Corporation. That's how I came to the States because I was a, a company over in Palo Alto.  

Julian: Wow. It's so fascinating to, to think about you know, not only the security space, but also, you know, in terms of the acquisition component.

You know, I do want to touch on security, but in terms of the acquisition, what was that experience like? Were you receiving multiple offers? How did you end up choosing the company? You did? And I've never heard of a company buying back their assets and then reselling the company. So what was that process like and how long was that timeline?

Chris: Yeah, that was well, I, I wouldn't recommend it. Yeah, . I wouldn't recommend it because, our, the, the acquirer was a company called Biodata. that was a very highly respected, kind of like newcomer on the German version of the Nasdaq. And they had the most successful IPO on the, on the German Nasdaq.

It's called Noya Mac. And , everybody was kind of banking on this company. Yeah. And so they offered to acquire us for all stock. And the, the company was built on less solid foundations than everybody thought . And they actually went bankrupt 11 months later. So, our, our subsidiary was still profitable, but the, the parent company wasn't, and kind of pulled us into bankruptcy.

And so we worked with the. trustee, I think it's called in English. To buy back the assets. So we didn't buy out the company, but we bought out the assets from the company. So, anything from the, from the ip, from a source code and, and, and copyright and usage rights and so on to, literally like the, the, the furniture

Right? and because the company was insolvent, we got it for a very, reasonable price. In, in Germany, the trustees are, Primarily concerned, they're appointed by the state and they're primarily concerned with preserving the, the jobs, right? Yeah. Yeah. So by giving us a, a decent price for us to start over, and especially because we didn't have any.

any fault in in the bankruptcy they gave us a, a good deal. And so the second time around the company that acquired us was our biggest competitor wow. From the States. And so we were only really selling in Europe. and we had taken some pretty big accounts from them, like, Big manufacturing companies, electronics, manufacturing, car manufacturing, all of that stuff.

And, they wanted to expand into Europe. And so they bought us, you know, with us, they bought some market, they bought some technology because we had overlapping but not, not perfectly overlapping, secur security products. So they got a new product out of it and they. with one, you know, acquisition. They had people and an entity in Germany that they could use as their hub for Europe. Yeah. And so that was really interesting.  

Julian: Yeah. Yeah. It seems, it seems advantageous on both parts, you know, not only with the acquisition, I'm sure, but, but with how the structure of, of setting up, you know, another entity in another country because that, that is a huge challenge for a lot of, it's becoming less of a challenge with, you know, other companies like deal.com who, who kind of help facilitate, you know, hiring in other countries as well.

But, what was the experience like for you? Was it an acquihire? Were you then working under the company for a little bit or did you kinda let the project go and work on other things?  

Chris: Yeah, I, I wouldn't call it an ahire because the, there was a lot more there than just the employees. Yeah. But, I, I basically, at that point, my, my husband at the same time, funnily enough, is, was pure coincidence, had taken on a job to move to Boston.

No way. So I, I, I thought, Hey, this is perfect so I can, I can move to the states with him on a, on a Visa. And so we, convinced the acquiring company that they would take me on in the States. They would've preferred me either in Frankfurt or in Palo Alto, but not halfway in between in Boston, if we made that work.

Amazing. And stayed with him for a while. stayed with 'em for another three years, working remotely and flying to Palo Alto a lot and, and doing a lot over the phone. But yeah, that was a good time. That was really interesting.  

Julian: Yeah. It's so fascinating how, you know, the acquisition kind of relationship works with the acquirer and founders and I'm always so curious about that experience because it seems not always cut and dry.

And there's a lot of new diligence that has to come from that and. And it all, you know, it all, you know, kind of, I guess ends up being, you know, how it is at the end, but would you have done it differently?  

Chris: So, I mean, first time around. The, the big lesson learned was a couple of, were were a few things. Number one, just because a, an acquiring company is really highly rated in the press, doesn't mean that they're actually solid. Yeah. do your due diligence, both directions. second is, don't get paid in all stock. Yeah, yeah. Right. Because, the, the stock was also. , locked up. There was a lockup period for, for 12 months.

Yeah. Right. Wow. And they went bust after 11. 11. Yeah. not, not a great acquisition, right. Overall, yeah. Yeah. And, second time around, I think that actually worked pretty well. That was a combination of cash and stock and. Hey. So with a cash alone was a, was a decent deal, plus a little bit of stock, and that paid off a few years later too.

Yeah, so, so I, I think that was a, a better deal. Plus the acquiring company was more solid and actually in the same, you know, exactly the same space, not, you know, like vaguely in the same space, Aswan. So it's much, much better alignment.  

Julian: Yeah. Yeah. No, it makes sense. And in regards to runZero, you know, you, you went through this acquisition, you've been in this cybersecurity space.

What in particular was the catalyst for, you know, solving the problem about asset inventory and, and, and describe to our audience who doesn't know what the problem of that companies have with you know, managing or, or the challenges that they face, with their asset inventory?  

Chris: Sure. that really started out, I, a couple of companies later. I was working at Rapid Seven and Rapid seven is a big, now a, a giant cyber security company here in Boston. I think they're around about 2000 people. When I joined them, they were maybe about 70 people or so. So much smaller. Yeah. And, they had, one product called Nexpose for vulnerability management.

They had acquired a, an open source project, called Metasploit and with that project, the, the founder of that open source project called HD Moore, and, they brought me on board as a product marketer to help, turn that into a business. Right? Yeah. So to, message it and to work with HD to build a commercial product on top of the open source core.

And, to then train the sales team talk to the market in, you know, keep the open source community happy, all of that stuff to to turn that into a business. And so we did that together. That's HD is today is my co-founder at, at runZero. And one of the things that we learned from. People, you know, security practitioners in the, in, in the industry.

Even then was that they said, Hey, you know, like all of this cool stuff you're doing is great. Yeah. But I don't actually even know what's connected to my network. Right. Yeah. I have much more basic problems and a few years later, you know, between Rapid seven and one Zero, there was another company I joined for four or five years, so even.

You know, over that long period of time, yeah, the industry hadn't solved it. And it's not just a problem for big or small companies, like everybody's got the same issues and if you don't know what you have, you can't protect it. Yeah. Right. So you need to have an inventory first before you can start protecting it.

Yeah. And then during that time also a few technology disruptions happened. So, IOT devices, so all sorts of embedded devices, you know, took hold not only in, in the homes with like the thermostats and the Alexa and you know, Google voice or whatever, but also in organizations. Right. So in, in, in office spaces and so on, like you've got, you've always had your, your HVAC systems, your aircons, right?

Yeah. Yeah. And you have your ip based surveillance cameras. You have your, your door controllers where you swipe your badge, all of those things, like the offices had a lot more IOT devices. Yeah. And some of those got, got hacked. Right. And, and yeah, if you don't have those in your, Inventory you can't protect them.

You can't make sure that they're properly taken care of. There was a fun case, this is a few years ago, but a fun case where a casino got hacked through a wi wifi connected thermostat in a fish tank, and they stole all the, they stole all the credit card data through that. So that shows you like, How those little things can have an outsized impact, right?

Yeah, yeah. Then you also had, you know, all the think of like manufacturing floors, like lots of automation there, like the robots, all of that stuff. And that used to be just under the purview of what's called like the OT engineers, operational technology engineers. Mm-hmm. , they were kind of like off to the side.

The IT departments were. Managing their stuff. They were handling the, the OT stuff. And the OT engineers were kind of responsible also for the security, but they didn't take security all too seriously because security to them meant safety for the workers. Right? Yeah. Yeah. So that you don't like weld the person to a car kind of thing.

Yeah. But , you know, a lot more automation happened and things started getting connected to the internet and so on. And then you had things like ransomware attacks that took down entire production lines. Yeah. Now, the security team was also being asked to also have a look at OT security. Yeah. And so, so there's a big overlap there.

So the, the world's now becoming more complicated, right? Yeah. For, to figure out like, what do you have connected to your network? And then, , you have the cloud, like a big, you know, all companies are moving stuff to the cloud, not everything, because you can't move everything to the cloud. Yeah. But a lot of the a lot of the workloads are moving to the cloud and then with the pandemic, more and more people remote.

Right. Yeah. So all of a sudden just, you know, what used to be just like a few computers in an office is now distributed everywhere. Yeah. And it's become really, really hard to keep track of all of that. Yeah. So that was the idea that we, you know, the, the thing that we wanted to solve because we had the technology disruption we had, even the previous problem wasn't, wasn't solved all that well.

Yeah. And so we saw an opportunity there and basically my, my co-founder is the tech the technologist. So he went off and, and had an idea of how to solve this. Yeah. And started out actually without me, I was still at, at another company. He, he prototyped it got some customers, got some revenue and then when he thought he had product market fit we connected, I was ready to exit the other. and I, I just texted him and he was like, do you want to come work here? I think it's time to scale this. So that was  

Julian: I love that. Yeah. It's, well, first of all, it's fascinating that companies didn't have, you know, a, a proper way to track their devices and but as you said, it's like you kind of don't think about the things that are coming online.

You think about the capabilities of it, the features it might have, but the security of it. The casino example is, is bizarre, but I mean, it's not too far from what we've seen in movies in like the early two thousands of things getting hacked through, you know, other separate devices that, that were just left unprotected and it's so fascinating in, in terms of security in particular.

I'm, I'm curious about, you know, you mentioned so. , I think in the notes coming to the show that, that you focus on a PLG motion, which is, you know mm-hmm. for those who don't know is product led growth. And what about that kind of gives you an advantage outside of, of, you know, an s SLG motion or something different especially working with security and because I feel like it's so intertwined and interconnected with those who are probably using your product, but would love to hear the advantages that, that you found going in that direction versus, you know, something.

Chris: Sure. So when you think, so we target enterprise security teams, right? As our buyers? Yeah. Those teams are very technical. They don't love talking to sales . And the, the traditional motion to sell to those teams is you have. a white paper or webinar or something like that, that's gated, that's, you know, behind a, a login form.

That's not login form, but registration form. And so they download it and then, you know, you have the BDR team that starts, you know, banging the phones and trying to get these people on the phone and spamming them over email. Yeah. And that really isn't super effective, right? Yeah. Yeah. Whereas, We were targeting the security practitioners and technical practitioners.

Yeah. They really like just trying out the product without having to talk to anybody. Yeah. And so what often happens is they would go to the website, read about it often through hearing about it through my co-founder, because he's quite well known through through the Melo project, and they would then maybe start out scanning their home.

Right? Mm-hmm. Yeah. Just playing with a, with a, scanning their home network. And then they say like, oh, this actually works really well. Let me try this out at work. So then they bring it at work to work. They, they scan small part of the network and they say, huh, this also works unlike corporate gear. Yeah.

So now they, they start inviting second and third user and say like, Hey, have a look at this. Found this, I think this could solve our problem. Right. And then what happens, like on, on, on our end, in the back end is we. You know, obviously the register, we have an email address, et cetera. We hook that up with HubSpot, which is our, both our CRM and marketing automation platform, and we start sending them automated drip emails to help onboard them, to put them in touch with the, with the right salesperson.

And all of these things are automated in the background, right? Yeah, because it, it, that kind of activity is. , you know, you have low response rates. It's not super profitable if you put, if you put a person on it. Yeah. But then as people start responding to these drip emails, then a person takes over. Right?

And then typically, if it's a, if it's an enterprise deal, you might do a, a proof of concept. So that means you work with a customer on Right. Establishing what do they want to achieve what do they. What are the, what outcomes are they trying to drive to? And then you help them set up a test environment where they can prove out the product.

Yeah. And then it goes into standard, you know, procurement, negotiation, legal, red lines. Yeah. And, and purchase.  

Julian: Yeah. What, what makes a PLG motion successful? And, and in particular, is it the, the levers you kind of pull in terms of what type of model? Is it a premium service? Is it, is it based on limitations to access?

And, and, and I feel like if you don't allow someone enough you know of their capabilities, it won't stick. But if you allow too much, then they might not. Need, you know, you're dead on to pay, to pay for more features. So how do you identify what's gonna be successful when you're going through a PLG motion?

Is it a lot of testing? Is it, you know, do you have a pretty good hypothesis? What, what works?  

Chris: Yeah. I, I think there are a few things to consider. So for us, the primary path is not trial to credit card, but it's trial to sales. That motion. Yeah. So we use it as a, as a lead generation. There are also other companies that have more of an e-commerce model where they're trying to drive people to a credit card purchase.

So, for for those things might be a little bit different. Second thing is you need to think about, okay, do I just want to provide a trial or do I want to provide a free tier? Yeah, we happen to offer both the. free tier is the, the, the trial is not limited at all or has very, very few limitations.

So if you wanna see the full breadth of the, of the product, you can do that. And you have that for 21 days. Wow. We can do that. That's a significant amount of time we can do that. Yeah. But you know, sometimes if you want to do a proper test, then you need a little bit of time. Right? Yeah. Especially if you have integrations.

Do you wanna show it to other people that you've got, schedule your meeting and all that stuff. And so that helps us show the full breadth of the product because the, the challenge is if you have a freemium offering that only has a very cut back. feature set, how do you then show the full capabilities of your product?

Yeah. So that you don't get underestimated because you don't have a conversation at this point. Right, right. And, so, so I think the trial is important. You have to be careful, with a time-based trial because, . For, for us it works because our product is meant to be used on a continuous basis. Mm-hmm.

and you set it up once and then you start tracking things over time and so on. And you, it's, it's really not conducive if you have to set up your entire environment every three weeks. Right. It's just super disruptive. It wouldn't, it wouldn't work. Yeah. But if you think of, let's say we're recording this on a podcast recording software.

Mm-hmm. , if you had a 21 day license fully featured and all you needed to put in was an email address, it would pretty, pretty hard to convert you off of that because you just re-register with a different email address every three weeks. Right? Yeah. So, be very conscious of like what your product is and what it.

Yeah, and how people can get around the system and, and how to upgrade them. And then the second thing is, for the, we have a free starter here, and that one, we, we cut down some limit, some, some functionality that we think is just enterprise grade and that's a premium. We provide that license free for environments up to 256 devices.

Yeah. So if you're, if you have a small company or a home network, you can just use the free version and that's completely fine. It wouldn't actually, I think the willingness to pay in that segment is fairly. And the, you know, if we wanted to serve that through a sales motion, it would be quite expensive in terms of the cost of sale.

So I'd rather have organic word of mouth through people using the product in that segment. And it also happens to be relatively inexpensive for us to host it for people. Right? Yeah. So I'd, I'd rather have that and have the word of mouth than, than to not serve that segment. And then you also get sometimes secondary benefits, right? So we fingerprint devices, so that means we, we look at what we get back over the wire and then decide, oh, this is a, a ubiquity IP camera with this model number and this firmware version, right? Yeah. We can't possibly have a lab that has all of these devices.

It just isn't feasible. Yeah. But by having a free version that a lot of people install and they scan their home networks, we can use that wealth of data to then finger, you know, run fingerprint tests and see like how, you know, how what thing is sufficiently different from another thing so that we don't have false positives and so on.

So it gives us a really good data set in. Yeah. Right. Without, without selling any anybody's private data. But it just gives us a bigger data set to just, you know, improve the fingerprints. And then also we let both paying and not unpaying customers provide feedback and improve fingerprints. Yeah. So they can say, Hey, you didn't quite get this device right.

Here is what it actually is, and then we improve our fingerprints and so on. So that's, that's how we get to really high accuracy. So there is more behind the freemium. than just the demand chain.  

Julian: Yeah. And, and I'm always curious in when you're, when you're working on an enterprise kind of sales motion, and it sounds like your, your product very much relies on, on, you know, one team member and, and then that kind of, Compounds on yourself.

People start using it in the implementation. It kind of grows within its own you know, team and department and organism. But during the, the enterprise sales motion, how do you stay motivated or consistent or, or because some of the sales cycles are so long, what's, what's your kind of philosophy or, or maybe strategy around continuing to progress even though, you know, one deal could be a huge deal.

If it doesn't go through, then, then you kind of have to start over. What are the different strategies you use to kind of continue that funnel to grow and and the patience that you need to stay motivated through that whole process?  

Chris: Yeah, so I think what you're describing, like the, the, the skillset that you need for that I think is basically sales acumen in an enterprise deal.

Like if you look at we split our. Sales team into two parts. So mid-market, which is below 5,000 employees. Yeah. And enterprise, which is above, it's an arbitrary number, but it's, you know, directionally accurate, . And when you think about the deals in mid-market, the deals are smaller, they move faster.

Yeah. There's less technical scrutiny. There are different requirements in terms of the, the maturity of the company's security, maturity of the companies that are buying and so on. So it's more of a transactional model. Mm-hmm. , in, on the enterprise side the deals are bigger. They take a lot longer.

You need much more experienced execs to account executives to, to manage those deals. And it, it's just a very different motion. Think about it a little bit. You know, one thing that clicked was when I was taking, I don't know what it was, some management training about personality types and you know, trying to figure out like what personality type do you have to hire for a certain position?

And the trainer said, Hey, in the room, like, tell me like what personality profile do you need to hire for a waiter? That's a good question. . Right? And, and we thought about it from when we were debating and he said, well, it really depends if you have a, like a pub, right? Uh uh. It, it's all about speed. It's about transaction.

It's like, you know, getting things done. Yeah. So the person you want, there is somebody who, who can switch tasks pretty easily, like always stay on top of things. And they get emotional satisfaction from like checking stuff off their list. Yeah, right. Getting this stuff out, getting this sta, you know, turning tables, all of that stuff.

If you think about like a three star Michelin. It's all about relationship. Yeah. And so, you know, making the guests feel at home, making sure they're taken care of, all of that stuff. It's not transactional at all. Right. Yeah. And so when you think about sales, think about like what is your sales motion And in mid-market, I think it's more like the pub and in, in enterprise it's more like the three star Michelin restaurant.

Yeah. Right, right. Both are completely. , but there are, they require different thinking, different motion and so on. Yeah. So, yeah. When you're asking about like, Hey, how do you stay on top of that? I think number one, sales is a bonafide job that requires a lot of skill. Yeah.

And they're very highly paid for that skill too. Yeah. It's not something that you can study at university. Strange because it's such a, a critical job in our economy. But yeah, it's, you, you should really hire somebody who, who is a sales professional. Yeah. Or if you're a founder, you know, don't assume that you've been sold to a few times and that's how you know how to sell.

Yeah. You know? Yeah. It, it is quite complex. And if you're a founder and you don't have the cash yet to hire a sales, Then read some books. Yeah, there's the Challenger Sales Spin Selling. There's like, yeah, just, you know, consume a, a bunch of books about sales methodology that fit the type of business that you have.

So in our case, we have a technical sale to a, usually a committee, a group of people who are making the decision together. Yeah. So it's a complex sale, it's a technical. So you want to make sure that you understand the role of each buyer, right? So there is, typically, they're always called something a little bit different depending on the methodology than the book that you look at.

But you have the champion who's kind of like, who wants to get the project done and who wants to get you in, right? Then you have the economic buyer. That's the person who signs the check. You might have a, a coach who doesn't have any juice in the, in the. , but they can give you, they can feed you information, they can advise you.

Yeah. Then you have the user buyer. So they're the person, they, they can't make the decision off what the tool is, but they're gonna be using it afterwards. Right. Yeah. And so, so, you know, then there is gatekeepers like procurement and, and, and legal. Yeah. That can say no to a deal, but they can't say yes to you as a vendor.

Right? Yeah. They can't make the deal happen. They can only block it so, Really understanding all of those roles and then really qualifying your deal. So what I mean by qualifying is there is some methodologies depending on the, on the book that you read and what flavor you subscribe to. Google form, med pick M E D D P I C C, and you'll find probably some articles and basically it's a checklist of what have you, you know, where have you covered your bases in this?

Do you, have you met the economic buyer? Do you know what's driving them? Do you understand the paper process? Yeah. Which means like, do you understand the procurement process? Right? Right. Not do you understand the technical selection criteria, like all of these things. And if you are, if you have a deal that's stuck, you usually haven't checked all of the boxes on those things.

Julian: Yeah, it, it's one question I'd love to ask you. I've chatted with a lot of founders and they've gone through fundraising rounds and, you know, obviously one of the biggest things is you know, focusing on how to spend on hiring and how to spend on different pieces of, of growing the business. Since this, obviously this isn't your first rodeo but what advice would you give to founders.

You know, say recently received a round of funding and need to grow in, in many different ways. They need to build out more of their product features to get more user satisfaction and, and users adopted on their profile or on their, on their product. And they also need to build out teams to be able to, you know, create the, the, the products that they need or, or get more demand.

How would, what advice would you give them on identifying where your business needs to grow? And mm-hmm. , the timing for when that area should grow.  

Chris: Yeah. I think one thing that helps is if you've seen and lived through growth of companies in different sizes, and not just one, but several times. Yeah. So that you kind of know like, oh, this is the stage when you bring like corporate development in, which is like super late, right?

Yeah. , this is the stage when you bring a BDR in, this is the stage, et cetera. But I also. Caution you to just have a knee-jerk reaction to say, oh, at this size this company did X, therefore I'm gonna do X. Yeah, because the market has changed. You have a different product, your company is different, your cash position's different, all of that stuff.

So what I would advise you to do is think about like what's the most important thing to get. Hopefully it's not too many things because you, you need to focus. Right, right. And, and try and do that. I'll, I'll give you some examples. When I joined hd, he had a product, you know, check. Okay, great. Like, we've got that.

That's a good start. Without a product, you can't sell a product. Yeah. He had some customers, he had he had cash in the. , he had a lot of inbound. Mm-hmm. , he didn't have a crm, he didn't have salespeople. Right. Yeah. So if I have a lot of inbound leads, then I don't need to start with marketing.

Right, right. My primary problem was sales, like somebody to catch and nurture and take care of those needs and turn them into deals. So I started out by, well, first. did all the sales myself, but with the goal of hiring sales as quickly as possible, right? So I hired three salespeople. Then, then I was doing all the demos, right?

For all the salespeople. So now I was super busy doing the demos. So then I said like, okay, gotta hire an SE leader. Yeah, a systems engineer, right? Then , the sales team was growing and I was spending all my time managing the sales team, so therefore I needed a sales leader. . Yeah, yeah, yeah, yeah. Right?

Yeah. And, and so I and I, and I looked at the team and one of them, Jay, was just crushing it. And, and not only crushing it as an individual contributor, but also exhibiting a lot of the traits that I, I needed for a, a team leader, right? Mm-hmm. . So you became a director. So then I had some time to focus on marketing.

and, and focus on marketing a little bit more. And in marketing, we we went a different route. So I knew I would need to grow the marketing team. I had too many direct reports, too many, too many hats that I was wearing. Yeah. And if I'd hired individual contributors at the time in. , then they were gonna be more junior.

They would need more coaching, more mentoring, more of my time. And I didn't have that time. Mm-hmm. . And so it's a fine way to start if you are short on cash, but we were actually okay on cash. Mm-hmm. . So what I did is I hired four director level people who then, number one, they've been around the block, they know how to start bootstrap that.

right? Yeah. And they can then hire their team underneath. Right? Right. Otherwise I have to be the person who hires all of the, all the folks. Yeah. And that's really tough, right? Yeah. It's really hard on, on time and so on. So, so you see like, there, I don't think there is one answer. Sure. Yeah. Yeah. To see like, how you grow and like where you focus.

It really depends on where you are. And I also think that there is a. a natural limit to how fast you can grow. Yeah. Because you can only onboard people so quickly and like after people are onboarded, like they can't onboard the next batch. Yeah. Until they've had some experience. Right. So some of the companies that raised a ton of money, And grew extremely fast.

They become very inefficient and dysfunctional very quickly. Yeah. So I've always paid attention to the fact that I, that we grow and we're growing fast. I mean, we grew to 80 people in two years. Right? Wow. Yeah. So that's, that's very fast. But you have to be really conscious about when we were 15 people, , we decided we need to, to like write down the culture that we have and that we want to have.

Right. Because we need that written down so that we can screen the rest of the people that we're hiring for cultural fit. Yeah. Right. Cultural fit is so nebulous. You need to be specific. Yeah. When we were growing bigger at about like, you know, 30, 40, 50 people it became clear that we need more streamlined onboarding not only like, well much earlier onboarding in terms of like, everybody needs a laptop and health insurance and all that stuff.

Yeah, . But then later on we, we, we figured like, hey, we are just, you know, the last person that we hired is training the next person on, on the product and how to sell. And things are getting lost in translation. Yeah. We need a, a formalized training program, a sales enablement program. Right. And, and so as you grow, always look at like what's, what's squeaking, what's gonna start breaking.

Yeah. And try to get ahead of that before it does.  

Julian: It's, it's credible to hear. And, and one, one founder was talking about checklist and how, you know, you kind of alluded to it with, you know, HD had a product, he had, you know, revenue mm-hmm. , he was missing, you know, this little piece on the checklist and then to address that and, and it kind of, you know, grows in cascades from there.

And, and it's it seems simple and I ask the question to see if if, if you illuminate, but it sounds like it's, it's within the experience of like you said, where things are maybe not working so well before they start. That that is, that is the ideal focal point for, for founders. Back to runZero, what are some of the biggest challenges that you face today?

Chris: So, obviously like everybody's gonna say the economy right now. Yeah. , right? Budgets are tighter than they were a year ago. We're still doing, doing fine. And we actually, we talked with our investors and we came to the decision that we wanna lean in because we have We have great product market fit.

People still need what we're buying, all of that stuff. So we're leaning in and continuing to hire. Yeah, I think the, well, what's top of mind for me right now is hiring. In the past it was always, you know, mostly director level and individual contributor level. And now we are really staffing up on the exec team.

So I. You know, in parallel hiring a chief marketing officer, a chief revenue officer, chief financial Officer, a legal counsel, and a VP of engineering. So, the, the risk I see, well, enormous potential if we get that right. Right. The risk I see is hiring the wrong person because not only do we need somebody who's gonna perform in the role.

But also culture is extremely important to us. And if you have somebody on the exec team, especially on the exec team they can have a really negative impact on the culture if you pick the wrong person. Yeah. So I think that's when, when I'm, when I'm thinking about the biggest risk right now I think it's that,  

Julian: yeah, if everything goes well, what's the long term vision for runZero?

Chris: Well, so, we talked about that asset inventory is like very foundational to security programs, right? Yeah. And that the, the new technologies that have come in are disrupting the old tools. So that, that's a huge chance for us in, in a number of ways. Number one, we can become the new tool for asset inventory.

But also, once you have that data, once you have a complete map of what the customer has, you can build all sorts of solutions on top of that. So you can tell them, you know, not only what they have, but what's risky, you know? Yeah. Risky assets, risky configurations. You can say, Hey, you're missing your endpoint protection on this machine.

You're missing vulnerability coverage on that machine. , you also need to help people understand who owns which machine in a, in a large company. Like if you, if you think about like many years back, there was the, the Equifax breach, if I'm not sure if, if you remember that. Yeah, yeah, yeah. And they had actually identified the machine that had the vulnerability.

but they had the wrong owner, so they emailed the wrong guy to fix it. Oh

Julian: no.  

Chris: Right, right. So knowing the owner of the machine is actually super important, right? You can provide context for incident res response. It's just like you can build so many things on asset inventory and when you look at some of the security frameworks, so, so frameworks that.

Give you advice on how to build a security program? Asset inventory is always requirement number one. Yeah. Right. So once you solve that and you do a really good job at that, you can build on top of it and you can just, you know, grow a platform.  

Julian: Yeah. I always like to ask this question as kind of a curve ball, but if you weren't working on runZero, what would you be doing?

Chris: Oh God. Depends on how much money I have. Yeah. , what's, what's the, what do I still need to work or not? ?  

Julian: That's a good question. Let's say, let's say, let's say you work as a choice.  

Chris: Sorry. You were breaking up a little bit. Can you say  

Julian: that? Let's say if you had to work as a choice, but, but you didn't  

Chris: need to.

If I had to work as a choice. Okay. if I, if I had to work, but as a, as a choice. Yeah. You know, I there's, there is one area that's always piqued my interest. It's a, an area in security called open source intelligence. Mm-hmm. , and most people have never heard of it, so I'll explain it briefly. It basically, it has nothing to do with open source software.

And it basically means. finding information in open, openly available databases or sources, right? Yeah. So at the, at the very simplest in the, in the very simplest instance a newspaper is an open source, right? Everybody has the same access to that information. The trick is how you interpret that information and how you.

And, and how you find specific pieces of information. So, it's used a ton by the intelligence services. It's used by law enforcement, it's used by investigative journalists, all of that stuff. And I do think that there are a ton of opportunities to build a company based on ent. So I'll give you one example where I missed the boat and I.

You know, slapped my forehead because I thought like I was doing this manually, and I could have built a company based on that. So, let's say you want to figure out who has I was doing this like for marketing campaigns, you know, like you want to figure out who's got a certain technology mm-hmm. , in, in their in their environment, let's say.

I don't know, Splunk or something like that. Mm-hmm. . Let's just pick something random, right? How do you find that it's not exposed on the outside of the firewall? So you can't just scan the internet, right? You have to find other, other ways to find it. But if you look at job ads, for example, and Acme Co corporation says, we're looking for a Splunk adminis.

then, you know they're using Splunk. Yeah. Right. So if you are selling a Splunk add-on, that's a great target, right? If you are if you look at resumes and somebody says, I was at Acme Company and I was responsible for Splunk. , then you know that company's using Splunk, right? Right. So you have open sources that are not in a structured format, but if you know how to collect the information and do it efficiently and at scale, you can derive a data set that's extremely valuable to people who are trying to market into Splunk.

Into the Splunk customer base. Yeah. Right. Yeah. And so there are tons of examples there. There's also many osen companies that cater to law. And, and the intelligence sector, and that's fine too. But I think that those markets are a lot more limited. I'd be super interested in, and by the way, the company that I just described exists.

And, and so that's no longer a play. I can do , but I think if I wanted to found another company, I would think about ent. What kind of information could I get and how could I use it and where, who could I sell it? Yeah. Or what could I do with it? Right. Yeah. Yeah. I think that it's, it's a super broad field and it's applicable to a, a ton of different things.

Julian: Yeah, I mean, it, it's applicable to the company. I run it with, you know, we help hire engineers for for startups and, and engineers from South America. And if I were to know and have an aggregate of, of companies who work with X Technologies and the types of individuals on those teams and then, you know, kind of.

Maybe there's one kind of niche technology that they work with that would be valuable to them. I mean, that would be a hugely valuable list to me, and I can only imagine other companies can, who can kinda have the same use cases. So, Osen, I'll, I'll have to look more into, to to that because that seems like a, a fascinating  

Chris: field.

It's a rabbit hole. If you, if you got hooked on it, you're hooked on it for good. Yeah.  

Julian: Oh, no. I know we're close to the end of the episode here but I, I really value the, the experience and the, the advice and the anecdotes you have. But I always like to ask this question, next question for my audience, but also for myself selfishly. What, whether it was early in your career or not, what books or people have influenced you the most?  

Chris: Such a broad question and I, I was really struggling with this when you sent it over. Yeah, yeah. I. You, you know, like, I, I take bits and pieces from different people. I, I thought our first CEO at Veracode was, was fantastic. His name is Bob Brennan. I don't think he's written any books, so it's gonna be hard for people to kind of like read up on that. And he's a very empathetic leader.

He always in the town halls appeal to both the head and the heart, right? Yeah. So if you, if you just lead with the facts, you, you're not gonna be able to really get the buy-in from, from folks and to really capture their imagination. But if you, if you appeal to both sides, then I think that's really.

Right? Yeah. Because all of us want a, a, a purpose in what we're doing. Especially if you have the choice, right? If you are a, a highly educated person in a western country, you have a huge choice over where you wanna work, right? And it's not just the paycheck, right? It's about purpose, it's about learning, it's about passion and all of that stuff.

And so I, I do think that, You need to yeah, you need to appeal to the heart. People need to be in it with a passion, but you also need to have some substance behind it. And that's where the head comes in, right? Yeah. It needs to be logical and it needs to make sense. Yeah.  

Julian: Yeah. It's, it's, that's such a great you know, kind of, kind of way to communicate or, or I guess philosophy around communication because, you know, it kind of. Lot, a lot of founders talk about developing a story, but in the essence of a good story is, is a lot of substance and facts, but also an emotional connection to, through an experience that people can connect to. So, that's a, that's a really good one appealing to the head and the heart. Yeah. Yeah. Yeah.

Chris: And it's even more important when, when, when there is something that people are worried about, right? Let's say the company's getting acquired, you didn't hit the sales numbers. You know, like, Corona hits, you know? Yeah. Like right there. There's, there's so many things that might not even come from inside the company that are on people's minds and that are affecting their lives. and I think it's really important to acknowledge those things as well.  

Julian: Well, Chris, it's been such a pleasure chatting with you and, and I, and I think we could do a part two of this episode. I, I plan to do a bunch of part two, so I'd love to have you again, if, if you're available, but last little bit, as I always like to give my guests a chance to give us your plugs.

Where can we find runZero? Where can we start using the product? Give us the website, the LinkedIn. Where can we be a fan of yourself and, and any information or any, you know, content that. You distribute out there that, that we would find valuable. Where could we find all that information? .  

Chris: Sure. So, runZero is very easy to find. It's runZero.com. very happy that we got the.com domain. We, we had to rebrand and that's a whole other story. We need a couple of hours for that and you can find me probably on LinkedIn is easiest. Chris Ksh last name is spelled k i r s c H. And less on Twitter nowadays but still present there. And more on Mastodon at, I, I think it's Chris Ksh infosec.exchange. Got, it's the, it's the correct address. I'm still new to this. Yeah I, don't have that at the top of my.  

Julian: No worries. Well, Chris, really appreciate not only the, the experience that, that you came with, but also the, the deep understanding of, of, you know, scaling and building companies and, and how to kind of view them from a very practical sense.

I think, you know, there's all these books and information out there, how to philosophically derive it, but really, you know, what's valuable is, is the mechanics that we can actually use in, in our day-to-day lives as, as audience members and as founders. But again, Chris, I hope you enjoyed yourself and thank you for joining the podcast.

Chris: Thank you very much. Take care.  

Julian: Of course.