Software Council of Southern California

MEMBER SPOTLIGHT: INTERVIEW WITH FIRAS RAOUF,
COO, EEYE DIGITAL SECURITY
Interview by Jennifer Beever

eEye Digital Security is a network security software company based in Aliso Viejo that recently joined the Software Council of Southern California. eEye has been doubling in size each year since 2000. We caught up with Firas Raouf, COO at eEye, as they launch into their plans for 2005.

Firas, would you explain exactly what your company does?
eEye Digital Security specializes in an area within the security market called vulnerability management. One of the major issues enterprises are faced with is the inherent vulnerabilities that are found in computing devices, whether it's the operating system or the software that runs on it. These vulnerabilities are discovered by hackers that use them to launch attacks or by ethical research firms that report them to the vendor, and then the vendor comes out with a patch.

eEye's primary business is delivering software solutions to help manage vulnerabilities within the enterprise network. Our primary offering is a software product that scans your network, uncovers all the digital devices that you have, whether you know about them or not (they could be rogue devices), and runs a series of checks on the devices of known vulnerabilities. We then provide reports of all devices, all vulnerabilities, and priorities based on criticality of the vulnerability and the device that it sits on.

Do you sell directly to IT departments?
We sell to security groups within organizations, who sometimes report in to IT. When it comes to fixing the vulnerabilities, IT gets involved because they manage the digital devices. Our software provides a management console that helps IT and security work together to fix problems.

What was going on with security and vulnerability management when eEye was founded in 1998?
At the time, the whole concept of vulnerability management was very nascent. We had a point solution that was only doing the scanning and discovery of vulnerabilities. That's what most solutions were at the time - a way to equip the corporate administrator with powerful tools that allow them to stay a step ahead of hackers.

How has the industry changed since then?
Over time, especially in the last couple of years, the issue was not just finding the vulnerabilities, it was, "how do we fix it?" And this necessitated the process approach - the workflow approach - which we delivered to the market in 2003. Vulnerability management has become a CIO issue. CIO's are responsible for business continuity. Vulnerabilities have become a very high business discontinuity issue. And, with regulations like Sarbanes-Oxley and HIPA, there are elements that are related to network security - companies are now asked "what is the process that you have deployed as a company to manage security risk to make sure that your network is not being impacted or your data is not being stolen."

The industry appears to be fragmented. Would you agree?
This industry is very fragmented. One of our VCs has a database of about 850 security companies that they track, which is a very big number. The interesting thing is that if you look at how many of these companies have annual revenues of over 10 million dollars a year, that list shrinks very quickly. Only a few of those companies are public. So, from our perspective, about 800 companies are creating noise when less than 50 really matter.

How has eEye performed?
We have been doubling our revenue every year. We grew from about 10 employees in 2000 to 130 employees now. We have about 7500 deployments worldwide. Some of our largest deployments include the Department of Defense, which was a multi-million dollar contract, Citigroup, Viacom, and IBM to name a few.

How did you come to join eEye? Did you have experience in the industry?
I didn't have experience in the security industry and, frankly, not even in software. I knew one of the cofounders - Firas Bushnaq - we went to high school together. When I was in the area working with Booz Allen, Firas convinced me to come in and help him and Marc Maiffret (eEye's "Chief Hacking Officer") commercialize the business. I joined and focused on building the operation. We've gone through four rounds of financing so far - the first two were angel rounds. The last two - the series C with Insight Venture Partners we closed in November of 2002. Our more recent round this April had Bessemer Venture Partners and Insight both coming in.

Was that when financing started to tighten up?
We raised our first round in mid-2000, which was pre-dot com bubble burst. We started feeling the impact of the burst at the end of 2000 and the start of 2001. Knowing that additional funding will be unlikely in the near future, we focused on achieving profitability as the top priority by the end of 2001. When we achieved that, it eliminated the need for further funding, but also made us much more attractive to VCs.

How did you weather the storm?
We had some big plans for revenue and employee growth, and we invested in a field sales team going after enterprise sales. We had to scale back and focus on what we called bread and butter sales - selling our solutions at a moderate price point using an inside sales team. We focused on the channel as well and put on hold our field sales model until we raised more financing in 2002. That's when we invested in enterprise sales and started in January 2003. That was perfect timing, because the pain point for enterprises was becoming much greater. Now we're represented in both enterprise and departmental level sales, and we have about 50% of our revenues that come from transactions that are over $75,000.

How is this job different from management consulting that you did at Booz Allen?
It's certainly very different. On the management consulting side, I was in the position to recommend to companies how to run their companies better, but I never had to go and do it myself (laugh). We've gone through a tremendous learning curve - we went through so many phases of organizational growth - starting the sales team and all the nuances of that, including putting together the license agreement, pricing, marketing, lead generation, hiring people, going through rounds of financing, reaching profitability and then trying to maintain it as we grow.

What's been your biggest challenge?
The biggest challenge is that there is a lot of clutter in the security market. Companies are being hit by hundreds of security vendors. We have to maintain a clear differentiation. We've done that through the integrity of how we discover the vulnerabilities, work with vendors, and then work with customers on how to resolve them. If you do a search on Google, you'll probably see many mentions of us finding the most critical vulnerabilities and helping our clients address them as quickly and efficiently as possible. Security tends to go up and down - "Is it a 'must have' or a 'nice to have'?" When new viruses come out like a Code Red or some of the worms that have had significant impact - people think, "Oh my God, security is very important. I need to do something about it." Then three months later, their priorities shift again.

Can you point to one marketing activity that has been most successful for eEye?
Because we've been in a position to find the most critical vulnerabilities, we tend to have a large number of security administrators who look to eEye for an opinion that is untainted and honest, not driven by any needing to be nice to the "Microsoft's" of the world. We have about 250,000 subscribers of our newsletter, which is massive for a company our size. If we uncover a really huge vulnerability, we do some PR around that.

How do you find and keep good people?
The best way to attract good people is ultimately by introducing them to existing employees that are proud and elated to be part of eEye. That means creating an environment where the individual employee has a voice that is heard and an opportunity to excel. Creating a culture of openness and honesty, and a drive to be the best also has a direct reflection on how the company is perceived internally and externally.

How do you describe your culture?
Our culture is fostered by everybody here - there is a feeling at eEye that whatever we make, we make very, very well. We have a strong reputation in the market as a company that delivers on promises and doesn't hype stuff that we don't have or can't back up. We'll continue to be the company that is willing to take on the giants and that is willing to tell the emperor that he's got no clothes.

What is your vision?
We want to be a significant force of change in the security area so that our tagline, "Vulnerability is Over," comes true for network security. If we can get to a point where security is not an issue (we may end up out of business), that's what we aspire to - a point where our customers don't have to worry about security.

With technology changing so quickly, is it a challenge to keep up with hackers?
It's a challenge, but I think that there is more that software manufactures can be doing to develop more secure software. These organizations need to invest in training their software developers in how to write secure code. You see this in Microsoft, where security has been a much bigger priority over the last few years than it was before. We've gone from a somewhat confrontational relationship with Microsoft in the late 90s to a lot more friendly one these days. We feel that we had an impact on getting Microsoft to evolve. Some of it was painful for them - when we found some very nasty vulnerabilities in Windows - but it's forced the giant to do something about it.
We invest a lot of our energy in testing and retesting and retesting for security vulnerabilities, not just for features and bugs. From a security standpoint, every single developer at eEye is a security person. Each developer is trained to recognize vulnerabilities in their own code, and there is a cross peer review where different developers get to audit other people's code.

What's been your biggest success or milestone that you've achieved?
I would say the success we've had in our large enterprise sales. The whole idea of vulnerability management has come of age. It is an enterprise solution, a CIO level issue, and it's become an enterprise must have. This is something we've been preaching for the last seven years, but it's been only the last couple of years that it's come true.

If there's one thing you could tell other software executives, what would it be?
I think that the biggest learning experience for us as we've been growing eEye is making sure that we really understand the customer's pain point and how you address it. When we first started, we invested a lot in the enterprise model when we really weren't ready as an organization, and the market wasn't there. We had to understand how to scale the business profitably, and in the early stages we had to focus on building a revenue base that was focused on departmental level sales. We then used that revenue traction to begin investing in the enterprise model.

What are you looking at for the future?
We know that at some point 100% annual growth is not sustainable, so this year we're being more conservative at 70% - even that is a challenge. We've having a great time, and our employees are very happy and proud of what we're accomplishing. At some point we may consider going pubic - that would be a way reward our employee and would allow us to scale even more.

What's the future of the industry?
There's definitely going to be more consolidation and more companies just not making it. I think you'll see a lot of the companies fold or get acquired, while some of the private companies will be able to go public.

For information on security, attend the February 17th OC Chapter meeting.

eEye Digital Security is located in Aliso Viejo, California, 1.866.339.3732. Firas Raouf has served as COO for eEye Digital Security since June, 2000. Mr. Raouf worked in strategic management consulting at Booz Allen & Hamilton from 1995 until 2000. He has a BS in engineering from Northeastern University and a Masters of Engineering from the Thayer School at Dartmouth College.

Interviewer and Software Council member Jennifer Beever spent 14 years in the ERP software industry prior to founding her marketing consulting firm, New Incite, in 1997. Jennifer helps companies create and implement systematic, planned marketing strategies. Contact Jennifer at 818-347-4248 or jenb@newincite.com.

Site Hosted by