Can you explain exactly what Bishop Fox does and what problem it solves?
We help our clients find their technology assets and vulnerabilities. This helps our customers determine where they need to focus their security efforts to secure their systems so that they can't be exploited by attackers.
How did the company get started?
While I was working at Honeywell with my cofounders, we were engaged in offensive security work and contributing to offensive security technologies. This was going on while we were running a global penetration testing team at Honeywell. After roughly six months, we started getting so much work that we decided to do it full-time. For the first 13 years we were entirely self-funded, and then grew into our series A.
Tell me about your team and approach?
When I say we identify assets and vulnerabilities, essentially what we're doing is emulating the behavior, tools, and techniques of hackers. In so doing, we mimic or simulate those types of threats to find vulnerabilities. In the process, we vary the approaches, tools and techniques at our disposal based on the questions we're trying to answer. The most common questions are: Can we be broken into? How effective are my defenses against varying levels of attacker sophistication? What is my security posture?
That is the technical aspect of it. From the business perspective we are helping people identify their risk and determine whether their controls are effective. We do that using a combination of technology and people. Technology alone will not solve the problem any more than an x-ray or MRI can deliver a treatment plan without a medical professional reviewing the results and prescribing a course of action. Our people are an essential piece of this process, and I am proud that we’ve collected one of the largest and most highly skilled concentrations of offensive security experts in the world. Our team has developed many of the most popular offensive security tools. We have published research and our work has been recognized for more than 15 years.
What trends are you seeing in this market / how is Bishop Fox differentiated in the market?
Having systems tested by a third party went from being the gold standard to a standard requirement. Government and regulators are now putting a lot more emphasis on the importance of testing and being proactive about an organization’s security program. In the past, there was a big emphasis on detecting and responding to an intrusion, but now the focus is on preventing intrusion. Those are two big trends that we are seeing and what we're finding is that what differentiates us is the technology platform we've built. It allows us to operate far more effectively at scale. Our caliber of talent and team size is also a critical differentiator. We have one of the largest concentrations of offensive security professionals anywhere in the world with a number of specialties focused on some form of offensive security. If a company is looking for a team of expert hackers, there's only a handful of companies that are our size with our focus and concentration.
What are some of the specific challenges you have faced as the company has grown and how have you successfully addressed them?
Any organization like ours struggles with the recruitment and the retainment of talent. Because people are the core of what we do, we needed to design a culture that was focused on being a good environment for a distinctive personality. Our team finds problems, so we are a company full of professional critics. Imagine leading a team whose job is to spend eight hours a day poking holes in other people's work. It is a unique managerial challenge. You have got to put a big emphasis on people management around culture and creating the right environment for them to be successful.
What were your priorities for a PE partner?
There were two areas. One was alignment. Carrick fundamentally understood what we were trying to do, and they were 100% aligned with the direction we were taking. That was incredibly important for us. The second was reputation. There are people with a lot of money, but they are not all good people. For us finding partners that were stand-up individuals was important because we view it as a form of marriage. We were very fortunate in our series A to have great investors, and we wanted to maintain that priority and to ensure that we were aligned not only from a vision perspective but also a values perspective. We received term sheets with higher evaluations, but ultimately alignment and the character of the individuals that we would be working with was more important for us. We have always bet on people. And we knew that we would go farther and do better if we had better people involved.
What are the benefits of working with a group like Carrick Capital Partners?
We have been educated. We are learning and leveling up our ability from a business perspective in terms of how we examine the business and how we look at the metrics. We talk a lot about our business, and they are a very strong sounding board on how we're thinking about our operations, organization, and the recruitment of talent. That combination has been powerful for us, and it is especially important as we move into the next phase of growth.
What is your advice for other growing businesses considering private equity?
The advice I would give people is maintain control if you can. There is a joke in the industry that investors will offer you money and the illusion of help. But if you can find a team who will lean in, meet you, and help you where you are, that is the critical differentiator.
Tell me about your road map. What is next for Bishop Fox, and what are your long-term goals?
Our vision is to be one of the most admired and respective offensive security firms in the world. To do that, we believe that building our Cosmos platform to deliver offensive security solutions and help our customers answer questions about their cybersecurity programs is the key to unlocking customer value. This is the future of our business, continuing to invest in our technology, invest in our people, and invest in our clients so we can meet our clients where they are and further build those relationships.