Before joining Rapid7 as the Senior Director of Orchestration & Automation, Jen was the founder & CEO of Komand (acquired by Rapid7) the fastest way to automate your time-intensive security processes. Previously, she co-founded Threat Stack, a pioneering cloud security monitoring company and serves on its board of directors. Jen has spent her career in security operations and product -- starting off in the SOC as an analyst and later working as a researcher and developer at security companies Mandiant and Symantec. A recognized speaker in the security and engineering world, she also supports security innovation as a board member of the hacksecure.org cybersecurity investment syndicate.
Kasha Gauthier (KG): Describe your career and work briefly.
Jen Andre (JA): I started with computers when I was young, I took programming classes through middle school and high school. My parents bought me a computer, so I’ve always had an interest in programming and computers in general and I was on the internet really early on. I used the local bulletin board systems (BBS) and met a lot of friends in high school that way. I was always interested in cybersecurity, and pursued it as a side interest. A lot of the friends I had met on the internet were interested in “light hacking,” so that got me interested in the space.
Later, I studied computer science at Carnegie Mellon, but I dropped out after two years. I was thinking I would take one semester off, but I never went back! I found really interesting work in the security space. I temp’ed for a while doing tech support jobs, then landed a security consulting job for a government contractor in DC supporting the TSA contract. That meant I did everything from internal pen testing to compliance paperwork for the contracts. Although I liked the work, it wasn’t the right fit for me, it was more policy-driven, and I preferred technical work. So, I joined Symantec’s MSSP security operations team as an security analyst, where I monitored their Fortune 100 clients.
That is such an interesting path, we at ACSC do a lot on workforce development, especially as it pertains to broadening the pipeline and getting more diversity into the industry. Your path was not traditional. What led you to drop out of Carnegie Mellon and go into the workforce?
The degree program was very demanding and stressful, but I found Computer Science generally doesn’t train you with hands-on, practical knowledge. It was “computer stuff,” algorithms, systems architecture, etc. It was training to be a computer scientist, not necessarily work in a software engineering or a computer security job.
I found work to be a very different type of experience than learning from the classroom, and it turned out it was more relevant to the path I wanted to be on. I think there are some good computer science programs, but many of them don’t address the workforce needs. Tons of people graduate with computer science degrees without really understanding how to build a product. Cybersecurity is even worse that way. Existing education is far behind in training people for real-life security roles, both for policy-oriented and technical roles. Overall, I think there’s a gap in higher education; the skills to be an entry level security professional are not being taught.
We’ve seen that as well, so now we see alternative education, things like Girls Who Code, and efforts to get even basic computer literacy into core curriculum. Based on your comment, I wonder if you think higher-ed institutions need to take initiative and include the technical, coding skills in their curriculum, which could improve cybersecurity training programs?
One of the business ideas that I think is very powerful is an alternative education path. Today, when people go to training to get skills they need, they go to institutions like SANS or Blackhat. But to go to SANS and get a certification is $5,000-$10,000! So basically you need an employer to sponsor you, which creates a chicken and egg problem. We are seeing this emergence of online coding bootcamps, I think there’s a real opportunity to do something similar online for security that would prepare students for the workforce.
“There’s a gap in higher education- the skills to be an entry level security professional are not being taught…there’s a real opportunity to do something online for security that would prepare students for the workforce”
You began working with computers and security early on, can you tell me a bit about what that community was like, and your experience being a young woman in that community?
It was the late 90’s, early 2000’s, I met a lot of friends that way. It wasn’t mainstream then. It was a niche group of people who shared common interests, mostly young people playing around- spamming, script-kiddies and the like. I was only 14, 15 years old! It was all local people, so we would say, “ok let’s go and meet in person.” It was mostly young white guys, but I brought some friends so there were a lot of girls. IRC was mostly male, I kept a gender-neutral profile, because there was a lot of trolling. Some women were actually harassed, it was just not good. The trolls could be anonymous, and people would hide behind that, same as today on Twitter. Most of the people I met with in person were really cool. I just wanted to be in the technology and I didn’t want it to come with the side of harassment.
What led you to start your own company?
I was at the Symantec SOC (security operations center) for 8 months. I was not interested in looking at security events all day. I was more interested in building the systems that identify threats, so I interviewed for a few internal positions. I joined the software engineering team that was building out the monitoring system for MSSP clients, including the analysis system, UI, and backend components. A woman I worked with on that team had gone to a new company, Mandiant, which was literally down the street, and recommended I interview there as well. So I went to work in Mandiant’s R&D group with Jamie Butler and Peter Silberman. Mandiant really evolved the incident response space. There were very smart engineering and cyber minds there. We worked on a lot of cool stuff including a home-grown malware analysis system.
R&D was fun but it was frustrating to build something great but be unable to bring it to market. I was always very interested in the customer and ‘product’ side of my work, e.g. solving real problems for people and met a few like-minded people at Mandiant. A few of us went off and co-founded Threatstack. My cofounder based the product off of an open source project he’d been working on. We worked on the weekend, applied to TechStars and were accepted! In November 2012, with $18,000 seed money, we quit our jobs to work on the product. We got a lawyer and worked on the first version of the product, which we released three months later in January 2013. We had $3,000 of MRR (monthly recurring revenue) by March. Basically, we had found a niche for cloud monitoring.
Was it more of a cerebral thing or gut instinct that led you to go do it?
I had enough experience in the security industry to know there was a real opportunity there. Also, it’s critical to have a good team with cohesion, solid product vision, and someone with good business sense who can sell it. I can always build something, I’m confident in my ability to build a product team and product. The more difficult thing is controlling the market opportunity. When I’m considering starting a new venture, the biggest thing is: is there a business opportunity there?
There’s so much opportunity in cybersecurity, and so many startups jumping into the industry. But many companies are having trouble figuring out what specific problem can they solve, that has revenue attached to it. You’ve done that twice now! How do you know when something could really succeed?
It’s all about analyzing that opportunity and talking to customers to understand their pain points. It’s not just about making a product that’s 20% better. For many buyers, it’s not just about the technology. It’s also about, “How am I going to get this deployed? Is the company going to be around to support it?” There’s a trust component, especially because this is cybersecurity and we need to be responsible with sensitive security information. Security startups need to prove they’re trustworthy. We need to help our customers all the way deep into deployment so they can sell it to their users — it’s especially important to do this when selling into the enterprise vs. a B-to-C play. A strong team, and taking venture capital from good investors helps with credibility when doing B-to-B enterprise sale. And of course, customer references really matter.
How do you scale beyond early adopters?
Early customers always hold a special place. Early on, you just have to do more work and give more support, then you can mature the product, and scale the rest of the business to support it. For example, if we’re spending too much time on customer support, we need to figure out how to scale. That can be by on-boarding or another process, hiring a post-sales engineer or improving documentation.. This is not a once a quarter exercise, its ongoing work in the early stages of growth. Itis leadership’s responsibility to find the bottlenecks. It’s often not apparent when you’re in the weeds, but when you do activities like rollup metrics, it becomes clear where you’re spending too much time, and the impact to your bottom line and roadmap.
What has been your experience being a female founder: raising capital, working with investors? What’s been hard, what’s been easy, what’s been surprising?
Fundraising is a necessity. You have to do it. If you’re building enterprise software, most likely at some point you need to raise 3rd party money. At Threatstack we didn’t know what we were doing, we had a terrible pitch. It was two male co-founders and me, and from my perspective I was just there as a reference, I got to observe the process and I observed it was not going well! The original frontman left and went back to Mandiant. So, the other co-founder and I made a new pitch deck with our direction of Cloud Monitoring. We literally googled “pitch deck,” downloaded a template and filled in the blanks! Lo and behold, it started going better. We started getting second and third meetings, then eventually term sheets. It was really surprising at the time. It’s hard to fundraise as a new founder who doesn’t have experience or background. Because of that, I don’t think I noticed it as a female because it was my first time.
I noticed it more fundraising as a female for Komand (the second company I founded), it was more pronounced. Raising money is definitely a very masculine process. There were meetings with hostile investors who, from the beginning, asked questions to try to throw me off my toes. The questions and tone of the conversations can be very aggressive, interrupting and such. You have to be confident, have your pitch tight, have your business tight. It felt hard to fundraise. I felt it might have gone easier if I was a male CEO trying to raise money. I’ve had plenty of conversations where people assume the technical person is my male head of sales. I did not pitch to a single female VC. There is a dearth of females, especially in cybersecurity investing.
“Raising money is definitely a very masculine process…the questions and tone can be aggressive…you have to be confident… have your pitch tight”
There was recently a story of two female tech founders who weren’t getting call backs from investors. They made up a fictitious, male co-founder, and lo-and-behold they suddenly started receiving interest from VCs. What do you think about this?
If I’m an investor, I know that to raise more money later and sell to customers I’ll need a confident leader. And men are generally perceived to be more confident, so in theory it makes more business sense to invest in that confidence. Women may hedge their language more, or may not speak in absolutes, which can be interpreted as lack of confidence or even a lack of competence. I think women are more thoughtful, but some people might interpret that as wishy-washy or not having the confidence to do the job.
Your experience strikes me as slightly different than imposter syndrome, where someone has all the skills but doesn’t believe in themselves. You didn’t have all the experience and skills of a founder, but still found the courage to go for it. How do we help women bridge that inexperience/confidence gap?
You have to take the first step. Women need to know not to give up when things don’t go well the first 5-10 times. It takes perseverance to keep going. Practice in lower stakes environments, plan for failure, and know you’ll get better. Purposely put yourself into situations that make you uncomfortable. I took piano as an adult. The teacher wanted me to play in a recital. It was a mess of notes the first few times. It sucked. But now I’m ok. You have to push through it and keep going.
There’s lots of imposter syndrome early on, especially working alongside all men. I just had the feeling I wasn’t as good a programmer as them. But working alongside them and seeing their work, I realized, I’m actually pretty good! But men are more confident about it. Men have this culture of bravado or they exaggerate their skills, which is uncomfortable for someone new to the field. I was reluctant to ask for help or ask questions, because I was afraid to look stupid. It took me a long time to realize that confidence can also be “It’s ok for me to be shitty at this thing because I’ll get better."
“Confidence can also be “It’s ok for me to be shitty at this thing because I’ll get better.” Practice in lower stakes environments.”
How do you adapt and build confidence like the guys and still be true to yourself and your style? Is it a fake-it-until-you-make-it thing, or like speaking another language, or do you build it like a skill? How do you think about “operating yourself” in this different world that requires so much confidence?
I understand my strengths and appreciate them. I have valuable skills, knowledge and experience that others might not have. I have developed a good understanding of what’s in my nature, and also what I’m not good at. It’s understanding and appreciating my abilities. Just because I’m not Steve Jobs or Elon Musk doesn’t mean I’m not good at my job. I have internalized this over time.
But you also can’t just rely on one niche thing that you’ve always been good at, especially at a startup. We need to be open-minded and willing to evolve. For example, I’m an introvert by nature, when I was at Mandiant I could barely look people in the eye. I worked at improving my presence, and I knew it was working when I got positive feedback after I sat on a panel. I needed to understand the importance and value of other skills, which motivated me to get better at them.
So how do you move forward when you make mistakes? How do address the person in the piano audience that says “that sucked?”
I try to see it as an opportunity to be better, not resentful that I need to change. It’s a certain kind of self-awareness. You are going to get negative feedback, and you have to separate the emotions of it from the constructive message. I look for that adaptability in the people I hire. Some people let their egos get in the way, you need to be willing to learn and have a drive to make yourself better. There’s no room for complacency when you’re working at a startup.
What advice would you give to a woman who wants to start or run a cybersecurity startup?
Find mentors who can help you. It’s hard, it’s not 100% clear how one goes from being an employee to starting a business. Whether it’s going through an accelerator like TechStars or YCombinator, build your network, find co-founders who compliment you. At some point you just need to take the leap and do it.
Any structural changes you’d recommend to encourage more females founders?
Structural changes are so hard, they take so long. Of course there’s things like hiring women, promoting women, funding women, creating initiatives that say specifically, “we acknowledge this is an issue, and we’re committed to addressing it.” We’re still in the first stage in cybersecurity, we’re just now really acknowledging the huge lack of diversity.
Do we still need to make a business case for diversity?
There’s enough knowledge about it. Whether executives and investors have internalized it and know that it will make their business stronger is harder to gauge. They might not be taking a critical eye on themselves, but they know it’s there. I doubt there’s any investor that wouldn’t acknowledge the male-dominated culture in the VC industry or the lack of women on their investment teams. I’m sure they are thinking about that given what’s going on now in the tech world. Whether the changes are driven by peer-pressure or internal revelation, they will still have material impact if we can get more women into the VC community because they will be funding other women, hiring other women. It’s a step in the right direction no matter what the motivation is.
What do you think about the “women’s initiatives” that are popular these days, helpful or not?
They’re generally a force in a positive direction. I was reading on Twitter about a woman who started her own conference in Germany to teach other women reverse engineering. Something like that removes imposter syndrome and allows for an open area to learn and explore. Being in an environment like that helps build confidence. There’s a lot of positive things going on. Not all initiatives are that helpful, but examples like that inspire me.
Jen has surely seen her share of the male-centric heart of Infosec, whether as a young hacker, working at Symantec and Mandiant, or raising capital as a female founder. I admire greatly the persona she has shaped, or become. She’s sharp on the business side, but also has not succumbed to fitting herself into a stereotype or becoming “one of the guys.” She is level-headed and focused, and as such comes across as extremely confident and competent. For example, she talks easily about being a female founder with clear eyes and no self-pity or disillusionment. There is a sense she knows very well she will face obstacles, and relishes the chance to meet them head on. She knows what she wants, and is willing to take risks. I hope we see more investors taking risks on women like Jen, and more women like Jen coming through the ranks. With more female founders and investors, power and resources will be better balanced. And as the saying goes “a rising tide lifts all boats."
- Non-traditional paths, such as Jen’s, can yield great results. Make your decisions based on instinct, a growth mindset, and analysis of the market and business environment.
- Confidence is a critical skill, not just a nice-to-have. Confidence has real business value in the eyes of an investor, so find a way to develop that like any other skill.
- Build your confidence by practicing in low-risk areas. Push out of your comfort zone and become familiar with the feeling of imposter syndrome. See challenges as opportunities, not failures meant to stop you.
- Find ways to prove value and rise above the noise and negativity — whether it be from haters or aggressive cultures. Focus on helping people and solving real problems for your customers, teammates, and employees.
- Work with people that have similar values as you. For Jen, some important values are growth and learning, creative problem-solving, and rigorous customer-focus.