Friday, August 27, 2004
Interview: Tom Rowley, CEO of Preventsys
Tom Rowley is CEO of Carlsbad-based Preventsys, which provides enterprise security solutions. I spoke to Tom to get a better sense of how Preventsys fits into the security space, and to understand their solutions better.
BK: Tell me a little bit about Preventsys and your security auditing software -- what does it do and who uses it?
TR: Based in Carlsbad, California, Preventsys is a privately held company founded in 2002 with more than 50 employees. We are an enterprise security company that sells an appliance-based solution that enables large, distributed organizations to see external security threats coming and prepare their network against known and unknown attacks.
The foundation of the company is based on the fact that many organizations are challenged by both their own internal standards and also an array of external auditing standards that have materialized over the years. These are regulations like Sarbanes Oxley, the Gramm-Leach Bliley Act in the banking industry, and HIPAA in the healthcare industry. Preventsys was formed to develop software that would help companies understand whether or not their IT infrastructure was compliant with the rules that these various laws require.
Preventsys also had strategic insight into the fact that most organizations have already made substantial investments in a variety of other kinds of security technologies, such as firewalls, vulnerability scanners and intrusion detection systems. All of these technologies provide information that when collected and correlated would give you a good understanding where you stood relative to a security standard. Therefore, Preventsys focused its initial activities on being able to assemble the information from a large number of different sources, package it up in a very understandable format, compare the data to these standards and regulations and finally present the results in a manageable way. Helping companies audit themselves was the initial thrust of the company and it signed on customers like Bacardi and Electronic Arts, both of which we still have today.
What we've discovered along the way is that this exact same approach -- a policy and rules-based look at security -- can actually help senior management have a better understanding of what their overall security posture is and how prepared they are for the many attacks that seem to pummel companies day in and day out. These attacks will also happen with more and more frequency and damage as the Internet becomes more integrated into everyday business use.
With this in mind, Preventsys took the same technology it used for auditing and asked, "What can we do to help security teams do what they need to do today - eliminate business disruptions caused by cyberattacks?" We wanted to come up with a solution that enabled the enterprise to get in front of problems, before they were attacked, rather than during or after attack as products help them do today. We thought -- and still believe -- that the best way to do that is through a process management system, one that is able to look at everything happening on your network, decide what might be potentially dangerous, and then prioritize your actions in a way that enables you to respond quickly to it - again, before an attack. We call this entire process enterprise security management. While not a terribly exotic name, it catches the flavor of what we've been able to accomplish and that is helping an enterprise understand its security posture and what it needs to do in order to improve it in context to threats that are out there "in the wild".
BK: Why Preventsys? In what looks like a crowded security space, what is unique about your company?
TR: You are certainly right about security being a crowded space. The current investment rate in the venture community is 35 new security companies a quarter. So there are certainly a lot of people working to build a safer Internet and addressing the myriad of other security problems.
What's unique about Preventsys is that, unlike most of these companies, we are not building another point solution. In other words, most security companies pick a very small aspect of security to address, such as identity management, secure SSL or deep packet inspection, and then focus all of their attention on doing a good job in that one particular area based on a new technological breakthrough. But what happens is that the poor bewildered network or security manager at a corporation who buys these products finds himself inundated with all of these point solutions that on their own only know how to solve one piece of the security puzzle at a time.
What we've heard over and over from security professionals at large organizations is that what they really need is a management system that enables them to see the big picture in order to figure out the relative importance of various problems and determine, in a managed way, how to go about deciding which should be prioritized first to spend valuable time or money on. In short, Preventsys is not in the business to build another clever security gadget. What we offer is an integration platform for all of those products that a security manager already has. These point solutions feed information into the Preventsys information security management system and we consolidate their data into something that is an intelligible, actionable, trendable, manageable process - all ahead of an attack. So what's unique is that we offer a quality management system for security as opposed to just another random technology.
BK: How did you decide to join Preventsys and what did you see in the company?
TR: I have been working with early stage technology companies most of my life, Preventsys is my ninth, and most of them have been venture funded. Over the last decade or so I have focused on security companies and on encryption and biometrics. Most recently I formed a company called Counterpane Security, which is arguably the most successful among the incident management companies. Counterpane is in the business of detecting attackers when they break into a company and stopping them before they do any damage. While I helped build a great company, I came to believe that their approach wasn't enough to fight the security battle. In order for an organization to make real progress in security, it has to be more than reactive and fast, it needs to be clairvoyant and get in front of the problem - be smarter than the hackers and script kiddies.
I decided to look for a proactive security company, specifically one that was building a system that could enable you to design yourself out of security problems, rather than playing a reactive role. And that's what I found at Preventsys. Preventsys is about building a management system that makes it no longer necessary for you to instantly react because you've already dealt with the problem. We like to say that real-time security is not fast enough. This means if you rely on real-time to protect yourself, you're already going to be too late.
What drew me to Preventsys was its proactive approach, one that I believe is pointing towards the future of this space.
BK: Who are your investors and where do you stand in terms of funding?
TR: We have three primary investors: Enterprise Partners, based here in San Diego; Apax Partners in San Francisco and around the world; and UV Partners of Salt Lake City. The company has closed two rounds of funding to date and is very close to profitability.
BK: What has been the biggest challenge for Preventsys in taking your software to market?
TR: Security is similar to healthcare in that everyone is looking for that magic pill to solve all ills. For enterprise security, promises of the silver bullet have come in the form of single products, such as firewalls, anti-virus or intrusion detection systems. At Preventsys, our mission is to educate the security industry that, like diet and excercise, true security can only be attained by taking a process-based approach, not by relying on single products that promise the sun, the moon and the stars. Getting organizations to accept the fact that their security will not improve unless they put an effective, cross-departmental security process in place is our challenge, but we're already seeing the leaders in all market segments do just that, the rest are soon to follow.
BK: Finally, what's your next big goal for Preventsys?
TR: For early stage companies to be successful they must simultaneously accomplish four things: recruit the right people, deliver to existing customers, acquire new customers and get funding. Three out of four doesn't cut it. In fact, nine out of ten early stage companies don't survive because achieving all four in balance is hard to do. My experience growing nine other early stage companies into maturity is one of the reasons that I was brought on board. My goal is for Preventsys to beat those odds and right now we are executing on all four fronts.