W Power 2024

Meet the 72-year-old 'whiz kid' behind cybersecurity startup BitSight

Shaun McConnon has sold three tech startups for a total of $1 billion. Now he's building a cybersecurity business that could soon be worth a billion by itself

Published: Jan 12, 2017 07:41:09 AM IST
Updated: Jan 9, 2017 06:14:31 PM IST


“I’m not the idea guy,” says Shaun McConnon. “I usually inherit the idea or concept that, over the next two years, I morph into something that people will pay money for.”
Image: Jonathan Kozowyk for Forbes


The founders of BitSight Technologies, Stephen Boyer and Nagarjuna Venna, believed they had a hot idea for a startup: A business that could assess and rate the cybersecurity of other businesses. But they also knew that a great idea means little without great execution. So they turned to someone with a record for building startups, Shaun McConnon.

Initially the founders thought McConnon, now 72, would make a terrific mentor. But in June 2012 McConnon, who had run three cybersecurity startups and sold them for a combined total of $1 billion, signed on as CEO. Boyer says the founders’ decision to bring in McConnon to run the business (they stayed on in technical roles) was an acknowledgment that most startups fail. “I rate them high on courage,” McConnon says. “They knew that I had separated from founders of the three previous companies.”

Today BitSight, based in Cambridge, Massachusetts, is in a sweet spot as companies look to reduce the risks of being hacked. BitSight issues daily ratings, like a credit score, for security and help companies flag not only their own risks but also those of the companies they do business with: Vendors, partners, acquisition targets. The risks from third parties burst into public consciousness after the 2013 attack on Target, when the credit- and debit-card data of 40 million customers was stolen through an HVAC vendor. While BitSight faces competition from newer entrants like SecurityScorecard and RiskRecon, it retains the first-mover advantage and raised $95 million (it was recently valued at $340 million).

Named to the Forbes 2016 list of next billion-dollar startups, BitSight has more than 500 customers, including AIG, Safeway, Ferrari and Lowe’s, and has assessed the security of some 70,000 companies. Customers pay a subscription, with annual fees ranging from a few thousand dollars to analyse a single company to more than $1 million to review thousands of suppliers. Forbes estimates BitSight’s revenues will reach $50 million in 2017 and $100 million in 2018, when McConnon hopes to take the company public. He expects it to be profitable by 2019.
 
McConnon has never founded a company himself. Over the past two decades, however, he has sold Raptor Systems to Axent (now part of Symantec) for $250 million, Okena to Cisco for $154 million and Q1 Labs to IBM for some $600 million. “Shaun is a unicorn as a CEO,” says David Aronoff of Flybridge Capital Partners, who has known him for two decades and who connected him with BitSight.

In each case McConnon, who is worth more than $100 million, joined the business at an early stage, brought in investors, made a marketing push and negotiated a sale. At Q1 Labs McConnon changed the direction of the company, taking it from an also-ran in behavioural-anomaly detection to a network-security alternative to Cisco. “Our investors had just invested in us and the category we were in,” says Tom Turner, 46, who has worked with McConnon for much of the past 15 years and is now BitSight’s president. “And Shaun went back to them and said, ‘This isn’t a long-term market.’ One of Shaun’s great qualities is he does see market trends happening.”

Stephen Boyer (left) and Nagarjuna Venna are the brains behind BitSight’s technology
Image: Jonathan Kozowyk for Forbes

To those used to seeing tech CEOs in hoodies, McConnon is a throwback. When he’s plotting strategy, he likes to sit at the Local, a gastropub near BitSight’s headquarters, and scribble on the backs of the previous week’s menus. He self-published a novel and reads voraciously, passing out books to staff and board members. “He gives me so many books it’s hard to keep up,” says Glenn Solomon, a managing partner at GGV Capital and a BitSight board member. “I’d put his energy level and drive against any of our founders and CEOs despite the fact that he is double the age of many of them.”

McConnon was born in Brooklyn in the 1940s, to an Irish-American tank man in World War II and a Czech woman. He was a tough kid who got into fights until the police put him in a programme and gave him boxing gloves. “I had a chip on my shoulder,” he says.

He studied biology at Roanoke College but ended up in computers, becoming employee No 74 at Sun Microsystems. At Sun he ran sales in Australia and New Zealand, leaving in 1994 with enough money to retire. Instead he became CEO of his first startup at age 49. “I’m not the idea guy,” he says. “I usually inherit the idea or concept that, over the next two years, I morph into something that people want and will pay money for.”

At BitSight the idea guys are Boyer, now chief technology officer, and Venna, chief product officer. Both 40, they met as graduate students at MIT. The idea for BitSight was simple but excruciatingly difficult to execute. Rather than ask companies about their security risks, they would assess those risks from the outside, observing communications coming into and leaving a company’s network. “In 2011 nobody was paying attention to this. It was not on anyone’s radar,” Venna says. “We were going to VCs and they were saying, ‘That is not an important problem.’”

It is now. Cabela’s, the hunting and fishing goods retailer based in Sidney, Nebraska, has been using BitSight for almost a year to monitor its own risks and those of some 85 vendors. It has slashed the time taken to vet new vendors from days or even weeks to just hours, says Michael Christian, Cabela’s information security manager for cyber-risk and compliance. “Three or four times, I have actually said no to vendors,” he says.

Behind BitSight’s simple scores is a complex process and a lot of data. In 2014 McConnon acquired AnubisNetworks, a Portugal-based real-time threat-intelligence provider. The company had the best botnet-detection data in the world, McConnon says, so he bought it for $13 million—even though Anubis was bigger than BitSight. “Within a day,” McConnon says, “I emailed my biggest competitor in New York, who was also leasing the data, and told him I was giving him 30 days’ notice that he no longer had access to the data.”

McConnon raised another $40 million in September to ramp up partnerships, add 100 people to BitSight’s staff of 220 and pursue further acquisitions. As he says, “No one gives you a ribbon in this business for coming in second or third.”

(This story appears in the 20 January, 2017 issue of Forbes India. To visit our Archives, click here.)

X