How I Launched This Company
Presented by: Aliza Knox, David Merkel
Originally aired on January 24 @ 11:30 AM - 12:00 PM EST
How I Launched This Company explores the path of entrepreneurs and innovators in the Asia-Pacific region. From challenges faced to lessons learned, we will join them on their journey as they share how they got to where they are today.
English
Interview
Entrepreneurship
Transcript (Beta)
Welcome everybody to another episode on Cloudflare TV of how I launched this company.
I'm Aliza Knox, head of Cloudflare in Asia Pacific, and today we are really privileged to have with us Dave Merkel, who is a serial founder and is going to talk today about Expel.io.
So Dave, thank you for joining us from Boston.
And are you in Boston? You're in Boston right now, DC, East Coast. Sorry, sorry.
I am American. I know the difference. Okay, so but East Coast, nighttime, and you know, bright and early here in Sydney, and we have no idea where people are on from, which is great.
So before we get started, can you just tell us what Expel.io is and does?
Yeah, yeah, sure. So we're in the cybersecurity universe, which, you know, is kind of a giant market of markets.
What we specifically do is we're trying to address the security talent problem.
If you're not in the cyber industry, you may not know there's just there's a shortage of people with the skills that particularly companies need to do the things they need to do to protect themselves on a regular basis.
What we've done is built what's called a managed detection and response platform.
And what that does is let's expel do some of that work for companies so that they don't have to do it themselves.
And we've done it in a very technology forward way. There's a bunch of legacy sort of services businesses in this space that do it a lot with people.
Our play is we have a giant technology stack, and just a little tiny people hat.
And then we do the we do that work for for companies at a very large scale, to a very high degree of quality.
So we we stop bad guys. Um, yeah, I think I had read recently, the number keeps going up that there are something like 3.5 million unfilled cybersecurity roles.
Yeah, this can't get enough people. So I'm sure companies are going to need more and more of these services.
Can you give us a bit about your personal background?
How do you how did you get to this stage? I think if I recall correctly, you might have done some work in the government.
But how did you get to the point where this was a company you wanted to start?
Yeah, my entire career has been an accident, except for my first job.
So I went to school on an Air Force scholarship.
So that first job was deliberate, I was going in the military.
But everything after that, to include getting into cybersecurity, which happened when I was in the military, was an accident.
I was originally doing, actually, well, military federal law enforcement work, I won't bore you with how that works, but it does.
And then they figured out that they paid for my computer science degree, and said, hey, instead of chasing regular bad guys, you can go chase cyber, you know, chase hackers, you know, cybersecurity bad guys.
And I fought it tooth and nail, which means you didn't really get to fight it.
They said, shut up, go to Washington, DC and do this work.
So that's how I really got my first step into this industry.
When I left the military, after I served my time, I got out right as sort of the dot com boom was starting to happen.
And being here in the East Coast, I ended up working at AOL America online in the late 90s, which back then was a very relevant at scale technology business bringing, you know, online connectivity to consumers.
And today is perhaps different than that. But very exciting at the time, I did that for a number of years.
And after I'd kind of gone as far as I could, there was starting to figure out what I wanted to do.
And someone that I had worked with in the military at the time had actually gone out and started a cybersecurity company called Mandiant, which at the time, back in this was 06, was really focused on services.
So they're very small company, just a handful of literal handful of people.
But they were doing high touch consulting services for companies that were breached that had been hacked.
And the founder there, Kevin Mandia, had come to me and said, Hey, I've got it, because, you know, we knew each other.
And he knew, hey, you're, you've built technology, you're kind of a nerd. Yeah, I kind of am.
He said, Hey, I got an idea for a product, you know, could you build this and the product he described is an early version of for people that may be familiar with the brands of what CrowdStrike and Carbon Black are today as products, if you don't know what they are, don't worry about.
Anyways, great idea. I said, Wow, I could use that in my current job, let me come and build that.
And so I left AOL to go to Mandia.
And at the time, there were, you know, 10 of us in the product business, which is what I was building was me and one developer.
And we did that very successful run, had a had a lot of luck, but a lot of good success, sold the company to FireEye at the end of 2013.
So yet another cyber company based on on the west coast.
I stayed on board as their global CTO. For about 18 months, I expected to get fired shortly after we got bought, because I knew my people would work for them.
But the CEO at the time, Dave DeWalt said, Nope, have I got a deal for you.
So you know, I did that for a little while. And then after I had finished my stint there, I quit.
And because it was time, just time they treated me well.
And then I said those fateful words, I will never do another cybersecurity company again.
And here I am. Right? What's changed your mind? What changed your mind?
What got you to? Yeah, again, that it's really interesting. You know, when I when I had said those words, hey, I don't want to do another cybersecurity company, the kinds of things that were on my mind were not liking the way parts of the cybersecurity market, you know, behave.
This isn't true across the board.
But for the kinds of cybersecurity companies I've been around, something that's that's very prevalent is a kind of fear based marketing, you know, the color red and logos.
And I don't like that because I sometimes can't see the color red because I'm colorblind.
The the way that they market, so they talk about, you know, hey, we do all these things.
And they use a lot of fancy words to obscure what their value really is.
And maybe their values a little bit smaller than that.
I don't like enterprise sales. That's not to say I don't like enterprise sales teams.
So if any of my sales folks are watching this, you know, I love you. So that's not it.
It's not that I don't like my customers. It's not that I don't like the companies.
I don't like the game that has evolved between them. Buying and selling of security things.
And so I was done. But later, the year I left fire was like middle of 2015.
That November, I was scrolling through Twitter, which was, you know, decidedly less toxic experience than it is in 2020.
And saw this tweet from an industry analyst that I knew that used to cover the stuff that that I used to do at FireEye and at Mandiant.
And what he said was in his tweet was he was describing the market that I'm in.
He said, you know, hey, this legacy market is kind of the customer service equivalent of a taxi cab.
And it's ripe for disruption. And I saw that.
And I said, yep. Yeah, that's right. And then it's stuck in my head. Like, even though I was done, it wouldn't go away.
And I got with a couple of folks that had been with me at Mandiant.
And I had also left FireEye, you know, after being acquired around the same time I did and started talking about it.
And we just couldn't put the idea down.
And then when we said, hypothetically, who would we get to do this with us and started writing the names on the back of a napkin, literally in a bar, like everybody talks about doing a napkin, a startup napkin.
I think we still have it somewhere.
I have to go look. And there's like a dozen names on this napkin.
And I'm realizing we could get these people like, wow, amazing. Now I'm excited because the same things I don't like about security, they don't like about security.
The same values I have about a company, they have about a company.
That's what really got my attention and got me excited about the potential opportunity.
And how are you managing it? Because you have how many co -founders, official co-founders, not just this team?
There's just the three. It's myself, Yannick Korf, and Justin Byko.
There's three of us. Okay. And how do you, some of the people who will be watching this or are watching it now are founders who want to learn from your experience and this is your second time around.
How do you balance who does what in a startup where there's more than one founder?
Yeah. When we talked about it at the beginning, we were all pretty direct about what we were willing to do.
I'm not willing to work for anybody again. So it's pretty clear what role that I was going to take if I was going to do this.
My co-founder, Yannick, is just a very talented, I can't believe I said that.
Yannick, if I said that, don't, I'm kidding.
You're not that talented. But just an all around operator and sort of, I think one of my board members calls him sort of a business athlete, very operationally focused, very detailed.
And then our other co-founder, Justin, knows people in emotion better than any of us.
So there were just some natural lanes that our strengths lent us to.
And then we had a really, and still have a very high trust relationship where we can just kind of talk about things as they happen.
And we don't let a bunch of drama or unsaid things build up between us.
That's what I think has been key thus far. Yeah. How do you, first of all, I like the term business athlete.
I'm going to quote that if you don't mind. Then what about, how do you make decisions though?
Like do two of you outvote the third or can you do it all by consensus?
I'm the CEO. So what I say goes, now how do I, it has to, right?
Like at the end of the day, someone has to make the final call if you can't come to agreement.
But the way decision-making really tends to go, it's not contentious.
Like it's even broader than myself, Yannick, Justin, if I think about our entire executive team, and we're just very lucky to have a highly talented team that has great people where we all respect and actually like each other.
You know, first, the first order of decision -making is we're going to try to make the decision as close to the problem as possible with the person that has enough context to make the decision properly.
That's first and foremost. And we don't need to see every decision, which means that we accept the fact that, huh, someone might make a mistake.
They might go ahead and make a decision where maybe they thought they had the context and they didn't.
And we're accepting that risk. We're saying, you know what, for a culture where we want to be, where we want to drive empowerment and move quickly, that means you got to make decisions quickly.
That means you take a little bit of a risk there that maybe something, a decision gets made and not everything's quite lined up the way it should have been.
Okay. Then we learn from that for next time.
So that's the first thing. And the second thing is I expect graceful escalation.
So if this person, you know, executive X is trying to make a decision, there's multiple stakeholders and they can't agree, then they agree to disagree.
And that means they're going to bring it to the next layer up, which let's say is me.
And then I'm going to make that decision after consulting, you know, all the parties and saying, okay, well, this is what we're going to do.
And that's really my job. Like I do, I think Kevin told me this, um, at, at Mandiant and he's turned, at least for the way that I, I like to run this company.
He turned out that what he told me was, was right. He's like, well, the real thing you actually do is you make three or four decisions a year that matter that only you can, only you can do.
And the rest is kind of window dressing. It's accurate.
That's, that's turned out to be largely the case. Um, so that's a little bit about how we think about, uh, you know, getting things done and who gets to decide what on a regular basis.
Interesting. Um, what about, well, so I've got a couple of things lined up, actually lots that I want to ask you.
So one thing is, uh, has COVID impacted you at all?
I mean, most of us haven't escaped some sort of impact from COVID, whether it's sitting in the room for the last eight months or having more demand for cyber products or harder to sell because we can't see our customers or, you know, I don't know, resounding success because people need to order online.
So how has that impacted Expel? Yeah. So, so a few things, I think, uh, I'll, I'll be, um, I'm Irish, so I'll do the opposite of what I usually do.
I'll start with the good things and then we can talk about the hard stuff.
The, um, the good stuff is, uh, first just how fast the team reacted to the changing environment, particularly just things like coming to work, right?
Like I walked in the office on a, well, I didn't cause I was quarantining at home because I'd flown to LA, which was a riskier zone.
So I was quarantining at home, but made the decision on a Monday.
We're done by Tuesday, everybody out, go fully remote and no, no issue.
Um, you know, we're a young company, we're cloud native. The office is a place that people gather.
It doesn't have anything important in it that we need that prevents work from getting done.
And we've always ever had a bit of a remote workforce about, about 20, it's more than this now, but at the beginning of the year, I want to say it was 25 or 30 % of our employees were remote.
So we already had some muscles and some tooling to, to handle some of that.
So that went very well.
Um, we, uh, you know, we do have some customers and impacted industries, but I'll say the impacts to those companies have not been what I would consider, you know, severe when I look across our customer base.
So, yeah, there's been some contraction here and there, but not bad.
And people have been able to pay their bills, which we're very thankful for.
Um, we did see, uh, as I think about, um, uh, you know, some of the challenges acute to kind of the May, uh, April, May timeframe, things were definitely grinding to a halt in retrospect.
We can see it very clearly. We couldn't see it quite as clearly in the, in the moment, but when we look back at it, it was very clear that, um, April, May things slowed down June, they started to accelerate again.
And then in Q3 for us, things were, were humming.
Um, and that happened, we think for two reasons. One is what we figured out, how do we target around this thing?
Like, how do we go find new customers, um, in a space like this and what's important to them and how do we talk to them?
So we figured some of that out. Um, and that started to have an impact and then Q3 into Q4, what we're seeing is how the broader economy is loosening a bit.
And some particularly larger customers that were still hunkered down a little bit at the beginning of Q3, um, trying to sort things out are starting to stick their heads up and we're actually having a fantastic Q4, uh, and I think we'll be basically full speed for, for 2021.
Um, so, so that's, uh, that's been really positive.
And then, and then the last thing I'll say, um, as just a huge positive is you find out the true character of people when you put them under actual duress and just watching my crew, just the way they lean on each other and how they help each other and the things they do for each other.
You know, like we put a lot behind the company doing that and it's amazing to see how that's reflected in our people.
Uh, just, uh, fantastic, like just an amazing group of folks, uh, that I really, uh, am very humble actually to have the opportunity to Uh, how many people do you have at this stage willing to share?
That's not totally, uh, what's that?
Um, I'll probably get this number, precise number. It's like 211, 212, 13, somewhere in, in that, uh, in that amount.
So, uh, pretty significant.
Yeah. Yeah. We, um, and, and I think I forgot to ask you at the beginning, how old is Expel?
When did you start it? Yeah, we founded in, uh, founded and funded kind of at the same time at the end of August in 2016.
So four years and a handful of months.
Wow. Yeah. That's been a quick ride. So since we are, um, you know, cloud players missions to build a better Internet, we are also a security company.
Um, I'd love to hear just a little bit about the tech stack. I know that you could probably go really, really deep.
Let's not go too deep, but we'd love to hear a little bit about what you're built on, how you thought about, um, creating the company.
Yeah, sure. So, um, the primary technical problem that, that we're, uh, that we needed to build a platform to solve, I'm probably gonna probably shouldn't use the word platform because that's a loaded buzzword that sets off people, but the, we needed to build a thingy.
Um, and the, the, the problem we're solving is our, our customers have a bunch of security technology widgets that they bought.
They could be in the cloud. Um, they have a bunch of assets in the cloud.
They've got stuff in data centers. They got, yeah, whatever. And they have these widgets.
And so the thing we need to be able to do is integrate with all of those at an API layer, um, process, the security signal coming out of it and mix and match it, combine it, sort it, sift it to figure out does anything here matter.
And if there's something there that matters, do something about it, um, and do as much of that in software as we can.
And wherever we reach a point that the software can't go further.
Now it needs to be presented to an actual analyst with all the things around it necessary for the analyst to make a decision and take action.
Uh, so that's the, that's the job of the, of the platform. So, so first off we were like, now this is a, this is a cloud native problem.
So to the cloud. And, uh, so we're based on GCP, um, and do a lot of stuff with, um, uh, containers and Kubernetes as you would expect for managing, um, uh, that, uh, that infrastructure.
Um, as far as, you know, building the actual, um, software to do all of that stuff, it's going to be the usual kind of full stack set of tools you would expect.
And there's some Python over here. There's some go over there. There's, um, you know, kind of web services and APIs and, um, you know, web UI and all that kind of great stuff.
So there's nothing, nothing particularly weird about any of that.
It'd be pretty common for anybody starting another enterprise SAS cloud-based company.
We look very much like that. Um, the, uh, probably some of the decisions we've made that might be a little bit different, uh, maybe not different for you at Cloudflare, but different for other companies is, um, another thing I don't really like about some security companies, having been at a few and having had a chance to see a few others is they're not terribly great at security for themselves.
Um, I've seen that as a challenge sometimes. This is the doctor heal thyself problem, right?
You've got the cobbler's kids, you know, don't have any shoes that, and I get it, right?
Like there's a whole bunch of stuff when you do a startup and there's a snake, that's going to kill you today.
And when you first start that startup, the state that's going to kill you is you never have a product and never sell it to anybody.
It's not security. Like that's not the snake that kills you today.
So I get it. Um, so I don't want to offend anybody with my statement, but you have terrible security.
I'm not finger shaking at you. If you're a founder out there and that's you, I'm just saying, we looked at the problem we're solving.
We connect literally to the security infrastructure of our customers that are in many cases, large, important enterprises.
That means their security border extends all the way to my front door.
And so if I have a problem, they have a real problem because we can allow bad guys to take over all the things that secure them.
Like that's a huge risk. So very early on, we said that it can't be us.
We need to do all the things we've been telling people they need to do.
And we have to do it first without anybody telling us. So, you know, we hired, um, uh, a great CISO, uh, Bruce Potter, very early, like pre-product.
There were only 40 people at the time he reports to me, which is what I tell everybody else who's serious about security.
CISO reports to the CEO. He shows up to all of our board meetings.
He's the first person to brief the board, not the last.
And that way they have to listen. And they're also great by the way, awesome board members that eat that stuff up and ask great questions.
Well, the other thing that we're then doing on the technology side is as we think about how we build our infrastructure, we have to engineer with that same sort of diligence around, uh, encryption, key management, identity management, all those kinds of things, uh, so that, uh, the infrastructure itself has a degree of robustness that reflects the risk that we could pose to our customers.
So there's a lot of energy we've put into, um, you know, that side of how we put the, uh, put the platform together.
Really interesting. Do you, have you guys ever made any mistakes?
Are there things that if you look back, you say, I wish I'd done it another way, or I've learned something, or did you not, that you'd already done this once?
Um, I mean, we do have the benefit of having done it before. And some of us have worked together before.
Um, I sometimes use the analogy, uh, which resonate with parents, um, that this one's kind of like your second kid, first kid, you're like, Oh my God, what's going on?
Like when they sneeze, you're like, are you dying?
Um, okay. So second kid, you're like, Oh no, you know, you're screaming, but that's teething.
Now that also means, you know, the phases. And so you're like, Oh yeah, that next phase is coming up.
Oh, I hate that phase, but it's a net benefit. Um, so there's a little bit less panic that, that being said, uh, what was something that there's definitely something that surprised us.
Um, I don't know if it's, uh, uh, maybe a mistake.
Maybe we could have done more as we were building and preparing to go to market, um, to, to discover this than we did.
Uh, and, and the surprise was this.
So, so as we looked at the market, we're going after, we're going after a legacy services market and we're trying to disrupt it with a SAS company.
That's us. Right. And we know those customers are hugely dissatisfied with the incumbents because they've been my customers before.
And I, and while not in quite the same capacity, I was close enough to this problem to get an understanding of what their issues were.
And so I had a pretty good sense that, yeah, they're unhappy, they're dissatisfied.
Um, actually they're abused. And what that means is the level of trust that I've got to try to build as a new offering in the space bit higher, you know, to get them to even to just try it, the level of wall I've got to jump over from a trust standpoint is higher than we anticipated because it's not sufficient for it to just be better because the last person that was terrible lied to him and said it was better to probably multiple times.
And so, uh, we adapted, you know, we have, um, you know, a good, uh, you know, I've got a great CRO, uh, smart marketing team or how to put together the right messaging.
How do we put together the right tools? But that definitely, it took us a little while to kind of unlock that so that we had that repeatable, um, sales motion and that we could classify those buyers into, oh, yes, I can build trust with you.
I need to do it this way or that way, or no, it's hopeless. I'll see you in two years.
And we needed to figure that triage out to really start to gain some momentum.
That's interesting. Um, I think, I guess that's a good thing for people to learn or think about their businesses and makes me think about, you know, is there any, um, advice that you would have, you know, now that you've done this twice, you're on your second child.
Um, and maybe you'll say you'll never do it again and we'll see if when you get to number three, you exit this one, but you know, is there any advice you'd give for first time entrepreneurs?
Um, yeah. Uh, well, first I, I always hesitate on advice.
I have a little bit, uh, that I am willing to share, but I'm, I'm, I'm always hesitant.
I'm, I'm always happy to tell stories and then you can glean from it what you want.
But I do have a couple of areas where I will venture out onto, um, offering some advice.
You're the limb go right out on that.
Yeah. I'll tiptoe out there. Um, one, one piece of advice, uh, I'd offer is, uh, it's super easy to get discouraged when you're starting.
Cause it's super easy for everyone to poke holes in your idea.
Um, and super easy to, to fall victim to the thinking, well, nobody's done it yet because it's impossible.
Um, or because it doesn't matter. It's very challenging sometimes to, to, to find some tailwinds.
So, uh, don't, um, don't let initial pressure there discourage you.
That doesn't mean you shouldn't be critical of your idea, but you're definitely not going to get your company off the ground if you don't believe in it and have some energy behind it and think that it can go.
So there's, there's, there's some, some real self -reflection you've got to do there.
And some of that, those early roller coaster moments, and it is a roller coaster, it's up, it's down, et cetera, especially when you're fundraising, especially when you're fundraising early.
Um, and then on that point, kind of building on that, the other bit of advice I would give for, um, uh, founders that are going to go kind of a fundraising route, uh, in our, in our case, we have a portfolio of, uh, you know, growth VCs that you would all recognize.
Uh, I got this advice from another CEO here on the East coast.
And he said, look, always be fundraising. And what he meant by that was not necessarily always out trying to close the next round in the next minute.
If anybody's got a checkbook open, it's continually building relationships in the fundraising community.
So that by the time you do raise around, you're raising it with some people that you've known for 12 months or 18 months or two years, and maybe you got a chance to meet with them six months before you need to raise around so that if a global pandemic kicks off and you decide, Hmm, I'd rather have two years of runway than 18 months or 12 months or whatever, you can go to a bunch of people that already know you as opposed to trying to start from scratch.
Um, which by the way, we, we did raise around, uh, this year in 2020 in the spring.
We didn't need to, we have plenty of money through probably middle to late 2021.
Uh, but we looked around the table and said, how long is this thing going to last?
Who knows? Could we raise a, an uncompromising up round right now in the spring, as everybody's going into quarantine and we have no idea where the economy's going.
Don't know. Turns out we could, and we did so quite successfully.
And it's because of that always fundraising, always relationship building mindset.
And we had put, um, uh, a lot of energy and effort into that.
And it gave us options that other people wouldn't have otherwise had at a, what otherwise could have been a challenging time.
And what about you? You just said in there that you, um, got advice from another, I guess, startup CEO.
So that's an interesting question for me.
Where do the three of you go for advice or because there are three of you, do you not need any, is that enough?
We're, we're idiots.
We need lots of advice. Um, I don't believe that. And, uh, and you know, the strength of us having worked together for a while is there's strong bonds of trust and understanding of each other's patterns.
The challenge is echo chamber, right?
So yeah, we, we do need advice. Um, places I go, uh, uh, I love to benchmark with other CEOs, uh, talk to other people about, um, their journey and they're just wonderful to commiserate with, whether you're dealing with making a talent decision or trying to benchmark, you know, financial planning and get your head around, you know, what direction do you want to steer this thing?
How much should you be spending?
How much should, you know, this part of this department contribute to this much recurring revenue, et cetera.
So just great resources.
Um, once, once you do have investors, uh, if you've got good ones, um, they are great counselors and then they are also great, uh, networks that can get you to other people that you just may not have the reach to get to.
Um, and frequently other people that are at a different phase than you are, because when I'm benchmarking now, yeah, maybe I'm talking to somebody at my, at my current state, but I'm probably wanting to talk to somebody who's already been through it a few times because they've got, they've got the knowledge of successful journey.
And I find my board is tremendous at making those connections.
And those conversations are hugely valuable and also come to find out, um, uh, you know, founders of companies, other entrepreneurs, awesome community.
I haven't run into anybody yet that wasn't willing to have a conversation and be very generous with their time and they enjoy doing it and come to find out when I've had it happen to me, I kind of enjoy it too.
Right? So there is a great sense of community amongst the people I've had a chance to interact with.
So we're almost out of time. Let me just ask again, as tips for other entrepreneurs, are there those communities that you mentioned?
I know that one of your funders is Graycroft.
And so I know that they have done, they tend to put, um, people together.
Are there other communities? Like, is there a YPO for, um, entrepreneurs?
How do you meet these people?
Or do you walk around the street saying I'm an entrepreneur? Well, let's see.
Um, uh, uh, some other firms, um, that we worked with will sometimes put on great events back, remember events, um, we'll put on events that are great networking opportunities.
So that happens. Um, a lot of times it's, it's just having an idea of what you want and asking.
And then the people that you work with, you know, particularly, um, people on your board will go use not only their networks, but ask through their entire firm to find a connection if they don't have it.
Um, so that's, that's tremendously helpful.
Um, a lot of times it's, uh, you know, everybody's got a network of people that they know it's, if you're getting a chance to meet up with those folks for a certain purpose, maybe add a couple of other meetings just to catch up with some people for the sake of whatever, because you never know what additional connection or conversation that that might spark.
Like, like anything, it takes effort if you want to, you know, have good connections.
Um, and it is unfortunately, particularly if you come from the technical end of things, uh, as I did a long time ago, it's, it's easy to under invest in it.
Uh, and so I think putting in energy is important.
I'm going to cut you off. Thanks for that last bit of advice on over-investing and kind of networking, getting to know other founders.
Thank you so much to Dave Merkel is one of the co-founders and the CEO of expel.io, which is helping people solve the problem of not enough cybersecurity expertise and talent in the world today.
So thank you, Dave. It was great to have you on.
Excellent. I really appreciate it.