Company: Beyond Security | Who: Aviram Jenik, CEO
Beyond Security provides automated vulnerability assessment. Founded in 1999, I was surprised that Aviram Jenik – the company’s CEO and co-founder – still considers Beyond Security a startup. In a phone interview, Aviram explained to me how he considers entrepreneurship.
SecurityWeek: How did you start out in the computer field and in particular, security?
Aviram: I started in security when I was about 12 years old. It was then when the very first virus came out – the “Brain” virus. During that time, two brothers from Pakistan were making money from computer consulting and thought of a model to generate further money. They would create a virus which would infect computers, and they’ll be the ones fixing that virus. The model worked, and they made a lot of money. This was pretty cool so I became very interested in viruses and started doing some research.
Soon, I became the geek kid everyone asked about viruses and who knew how to clean them up. I had this handwritten notebook with instructions – just like a recipe book – but it was on how to clean viruses. It was practical since only every few months there was a new released virus. Can you consider an anti-virus as a hardcopy book? Well, that’s how I started. There was no Internet then, but we had hacking and phishing as we have now. I got into that field as well – both learning how to hack and of course, how to protect from hacking. But back then, there wasn’t something called “security” – you couldn’t study it at the university, and you couldn’t get a job in security.
So, for about 10-15 years I went to startups that were later sold. In 1999 security became a big deal. Since security was my passion, I founded a security company, Beyond Security, that that was self-funded with from the sale of those previous companies.
SecurityWeek: What brought you to found Beyond Security?
Aviram: I’m a startup sort of person, and I wanted to start another one. Security was my passion so I wanted a security startup, though I didn’t really have an idea or product in mind. I decided to just start by looking around, see what’s happening- and doing it better. At that stage I started thinking to myself that if I’d be working at the companies I was observing, then I would do much better. Especially the big ones. I had such passion and thought that these guys were clueless. This is true to this day – I find that there are lots of companies today that do security simply because it’s a buzzword. You see how they work, and for me, it’s almost insulting – it’s like painters going to art. With this in mind, I realized that we – Beyond Security’s co-founder and CTO, Noam Rathaus, and myself- can do much better.
SecurityWeek: What does Beyond Security do?
Aviram: We’re an automated vulnerability assessment provider. Our security thinking is: can we take a hacker – a really smart one – and put him in a box, as well as automate it? We built a tool that automatically breaks into something and from there, an assessment tool that automatically checks the application. Another thing we added is product scanning. For example, one of our customers is AT&T and they’re checking their U-verse box – a sort of cable TV- and testing to see if it can get hacked.
SecurityWeek: You’re 13 years in the business but you still call Beyond Security a startup. Why?
Aviram: We’re a pretty small company, about 30 employees. The interesting thing about the industry that we’re in is that it’s immature, still at its very early stage. We’re in the vulnerability assessment field, and it took time for the market to get this technology. This leaves us with the startup mindset- to innovate.
SecurityWeek: What are your markets?
Aviram: Our biggest market is vulnerability assessment, and it’s a growing market. Enterprises and even SMBs need and want to scan the network. Many of the big companies need to scan for compliance reasons. For example, PCI DSS pretty much mandates scanning so that’s a big driver. The smaller ones want to know if they have security holes and want to know whether they should buy a product. They’re quite confused since sometimes a certain vendor will say that they have the right solution, but then another vendor will say that they have a better and different solution. At other times, the vendors will say that even though the organization has a certain protection, it won’t cover another type of attack.
This gets the CISO constantly worried as to where the next attack is going to come from. We say what’s going on, we show them the hole and explain how we got in. For example, we might come in and say that the VPN is weak. In that case, the organization should look into VPNs since that’s the weakness, but there’s no need to waste money on firewalls. From a regional point of view, US is the biggest market. APAC is next with China being our second largest market. We’re growing well also with the rest of APAC.
SecurityWeek: Who are your competitors?
Aviram: We have one big one that just went public – Qualys. Also Rapid7 and nCircle.
SecurityWeek: What’s your business model?
Aviram: We sell a one-time hardware appliance, which obviously has a license at the organization. Then, there’s usually maintenance. I like this model as opposed to the month-to-month/ year-to-year model which I don’t think is a good idea for startups. Those models block the startup since it gets them every year to fight for customer retention instead of focusing on innovation. Take for example Netflix. They’re subscription-based and unless they don’t bug me, I don’t cancel. But I’m basically paying for a 3-year-old product. On the other hand, look at Apple. They give me a reason to buy a new product, such as a new iPhone every year. That’s what I like about the one time purchase – as a startup it makes us work hard for something that customers will want to buy.
SecurityWeek: What are your growth rates?
Aviram: We are growing organically a lot from year to year. Yet, I want to keep the team relatively as small as possible. Our main pride is automation and it leads me to ask: how can we automate instead of hiring more? We’re always trying to see what we can do more with less.
SecurityWeek: Where do you think is your field going on from here?
Aviram: Right now, it’s growing really well at a rapid pace. But I think it’s still very immature. When asked why we’re still a startup, I think this very much answers the question. The customers we get to talk to are about 25% of the market. The rest has no idea about vulnerability assessment. They never bought one before – or thought before about vulnerability assessment- so the market interest is low. And what about also all those markets without a CISO? There’s a 75% of an empty market so the potential is huge.
SecurityWeek: What’s the biggest challenge you encountered as an entrepreneur?
Aviram: There are so many! Having a company means making a lot of mistakes. This is my third company and I keep making mistakes and trying not to repeat them. Probably the biggest challenge in security is how to stay innovative and make sure that customers are getting everything they need without caving into the hype.
In security there are trends and security startups need to be truthful: are they doing something since everyone is telling them what to do, or because it’s an industry need? Every year at RSA everyone talks about the new buzzword and then everyone asks how you’re tackling it. For example, two years ago it was GRC. Everyone – analysts, customers, journalists, opinion leaders – asked how I’m doing GRC. I need to explain these buzzwords, but I know that the next year they’ll forget about it. I imagine were I Microsoft then I would proceed to be compliant with the recent hype. But I’m a startup so just doing the integration with a partner is an effort. As an entrepreneur, I need to know whether what everyone is asking for is a real need. It’s a challenge to pick and choose.
SecurityWeek: Other than yours, what is your favorite startup (whether it is in security or not)?
Aviram: Watchdox. For several reasons, the main one being that their service is very simple – both in concept and in user experience. Many people seem to think that security is the opposite of usability. That’s not true. When things are usable- and simple- they are often actually more secure. I like solutions that prove that, and WatchDox is one of them.
Proper disclaimer: Interviewing Beyond Security challenged our notion of a startup. When SecurityWeek incepted the “Security in Focus” columns we tried to define what a startup is. Answers ranged from the company’s founding date to its funding stage, while some claimed that it’s any company – even a public one – which revolutionizes the field. What do you think? Feel free to share your thoughts in the comment section below.