September 9, 2013

BitSight - Boston's Most Unheralded CEO Leads Security Evaluation Revolution

Think you know every Boston tech startup story out there? Well I doubt you know the tale of Shaun McConnon, Boston's quiet man CEO, who is leading the Series A-funded security company BitSight as it launches its initial product today.

The company unveiled its BitSight Partner SecurityRating offering today out of beta, which is the first in what the company envisions as a series of new cybersecurity products. The Partner SecurityRating system creates a 'FICO'-like score that allows companies to assess the security of a partner's/potential partner's security state.

As the press release announcing the launch explained, BitSight Partner SecurityRating "delivers accurate and timely ratings on the information security effectiveness of organizations around the world. The ratings, which are based on externally visible network behavior, are generated daily to keep track of the continuously shifting nature of an organization’s security state."

When a company's security is evaluated by BitSight, a score is generated in the range of 250-900 (like the FICO/consumer credit rating system). The rating represents the security health of "a company’s partner ecosystem so it can better protect sensitive business and customer data shared with third-party vendors." The higher the score, the better a company's security.  

As Stephen Boyer, who founded BitSight with Nagarjuna Venna and is the current CTO, explained in the press release announcing the launch, “Traditional approaches to measuring and mitigating partner security risk, including network security audits and assessments, have fallen short.”  BitSight's belief is that the current standards used for evaluating a company's security don't paint an accurate and extensive enough picture of the overall health and security of a company's network. As Boyer added that measures commonly used, "Fail to deliver an objective and simple way to understand the effectiveness of an organization’s network security practices."

As such, "BitSight Partner SecurityRating delivers a single, daily rating that encapsulates the information security integrity of any third-party network, allowing customers to make data-driven, risk-based decisions," the CTO said.

How does BitSight's evaluation system work?

By using strategically placed online sensors, the company collects and analyzes publicly available internet traffic data. Specifically, suspicious behaviors (ie. participation in a Distributed Denial of Service, or DDoS, attack or communication with a known botnet) are analyzed for "severity, frequency, duration, and confidence" to create the overall SecurityRating score of an organization’s security health. 

BitSight's new service is an enormous breakthrough for companies dealing with multiple network partners. As security measures are being surpassed by more intelligent and complex cyber attacks, the old way of evaluating a partner's security strength, by capturing the state of security at an arbitrary moment in time, is just too unreliable for companies dealing with sensitive data in the financial, consumer, medical, and even education sectors. Having an accurate understanding of the security of partners being onboarded or those already connected to a company's online ecosystem is of vital importance as we become more reliant on interconnected networks and the cloud.

As Sonali Shah, BitSight's VP of Product Marketing explained, "The problem we are trying to solve, essentially, is how to measure and manage security risk; specifically, how do companies manage that risk when it comes to partners?"

In June, BitSight raised a $24 million Series A round of funding.

Hold on you might say, how does a company that is just launching their product today raise $24 million in funding? 

The reason is that the investors involved believe in the product, but also in Shaun McConnon's ability to lead. Both Flybridge Capital Partners and Commonwealth Capital Ventures, who were part of BitSight's initial Seed Round, rejoined for the Series A, along with Globespan Capital Partners and Menlo Ventures.

Who is Shaun McConnon?

McConnon, who has run three companies that have been acquired for over $1 billion, joined BitSight in a leadership role last year.

McConnon went into research and toxicology right out of Roanoke College because of his interest in biology. He later moved on to pharmaceutical sales, which he didn't like, and eventually got a job at RCA, "after seeing an ad for a systems engineer for the company's "early mainframe" computer department." As he admits, "I wasn't a very good systems engineer, so I went into sales." 

As he explained, "Until i was thirty-eight year's old, I ran sales operations." At one point, McConnon moved to New England from Atlanta to run Data General's local sales team. After moving from one startup to the next, he eventually ended up joining Sun Microsystems in the company's early days, taking a lower level sales position in the process. McConnon climbed his way up the corporate ladder, to eventually lead Sun's East Coast and government sales teams.

Eventually, after working for Sun for a number of years, McConnon got the urge to try something else. 

A partner at Sun had started one of the first firewall companies, Raptor Systems, which was in desperate need of leadership. McConnon joined as CEO, the company got funded by Greylock, and grew after a few years to the point where it was making $28 million. Raptor went public, and McConnon decided to make a play at another security company Axent. Eventually, Axent bought Raptor and was then acquired by Symantec in 2000. 

McConnon thought about retiring but was approached by Alan Kirby, BitSight's current VP of Engineering and Product, about an MIT intrusion prevention project that detected the behavior of malware. After raising money and adding his own cash to the project, McConnon realized too late the demo was for a product that never actually existed. Yet he and some of the team liked the idea and continued to pursue Okena, as the project/company was called, even as the tech bubble burst and 9/11 happened. 

Okena eventually raised some money from GE Capital, among others, and, as the company was starting to make the product profitable, Cisco "swooped in" and bought the company. As McConnon said, "Microsoft and Cisco were looking at us, we were a tiny company, only fifty-eight people, and we sold to Cisco for $154 million on $3.5 million in revenue."

"So it was a good deal for everyone," he added.

Did McConnon retire at this point? No. 

Q1 Labs came along. As McConnon explained, "My lawyer and VC friends said to go over and Polaris. They were looking at a company in Canada. So they asked me to go look at the company and tell them what they had. So I met these amazing people, young and very smart. [One of them was Chris Fanjoy who was an engineer in the early days of MapQuest]" 

Polaris told McConnon, who wasn't sure about the company, that they weren't going to invest unless McConnon got involved. So he did.

While at Q1, McConnon brought hired Brendan Hannigan, who is now General Manager of Security at IBM. 

The company's grew at an astounding rate. As McConnon said, "When I inherited it, it was a $300,000 company, after seven years, it was a $70 million company."

"We sold it to IBM for "lots of money", more than a half a billion." he added.

After that, Flybridge connected McConnon to BitSight's Venna and Boyer, who were building the company at Dogpatch. Flybridge believed that McConnon's security experience would be perfect for the promising BitSight.

Which leads to BitSight's product launch today.

McConnon is an extremely humble CEO, it took a while for him to talk about all the personal success he has achieved in the tech/security sector, and, it was obvious he felt more comfortable talking about BitSight than himself.

"He's modest about the great stuff he's done," said Sonali Shah. "He's been involved in the security space for over twenty years, and he is the most famous, least known CEO I've ever met."

Just look back at that career: Sun Microsystems, acquired (eventually) by Symantec, acquired by Cisco, acquired by IBM. And those are just the stories that I'm at liberty to write about. If you ever want to hear from someone who is one of the cornerstones of the Boston tech community, sit down and let Shaun McConnon share some tales.

With McConnon's track record, a product that could eventually create it own niche market (as the consumer credit score market has evolved), and the attention of some of the wisest investors around, BitSight's future looks extremely bright.

Dennis Keohane is a staff writer for VentureFizz.  You can follow Dennis on Twitter (@DBKeohane) by clicking here.