The SLASSCOM Cyber Security Centre of Excellence (CSCx) hosted its first webinar titled ‘Building A Cyber Security Product: The RiskSense Story’ on Saturday, 23rd of January. Two co-founders of RiskSense, Dr Srinivas Mukkamala & Ram Swaroop Movva spoke about how they built up the company from a research project to a market leader in Risk-based Vulnerability Management, protecting some of the most sensitive networks in the world. The webinar was organized by SLASSCOM CSCx to encourage Sri Lankan start-up founders to look to cyber-security and its adjacencies as a lucrative target market for their products.
What is RiskSense?
RiskSense is a Risk-Based Vulnerability Management platform. In a nutshell, this means that it considers all security vulnerabilities present in an organization and tells IT teams which issues to fix first. This means that Information Security teams spend less time dealing with administrative work and more of their limited resources on fixing issues.
How do they do it?
RiskSense first collects data from all Vulnerability Assessments and Penetration Testing activities that a company conducts, if required they assign a partner to carry out the necessary scanning. The list of all discovered issues is then prioritised based on factors such as criticality, external exposure, and severity. Most importantly, it taps into over 100 threat feeds to know which exploits have are being used by malicious actors recently. These issues are then automatically assigned to the responsible person with suggestions on how to fix or patch the issue with deadlines. Once issues are fixed the ‘RS3’ score of the company increases. The score is modelled on credit scores and helps even non-technical managers & boards understand their security readiness.
The origins of RiskSense: Students to Entrepreneurs
The session kicked off with a discussion about the speaker’s backgrounds and how what got them into the cybersecurity industry. Due to his background in Neural Networks, Dr Srinivas was afforded opportunities to work with pioneers in the field which led him to work on cybersecurity problems for the US Defence community. His patented approach to applying Machine Learning (ML) in Cyber Security know as Support Vector Machines is still the most widely used 18 years later.
In 2004, he was looking for datasets about cybersecurity to feed his ever-hungry algorithms and this led him to take on cybersecurity work for small companies around New Mexico. They could charge much less than the ‘Big 4’ because the attack data they gathered was valuable to them and helped improve the accuracy of their models. They called themselves ‘Strike Team’ and were simply a cybersecurity service provider and managed to generate $1 million in revenue very quickly.
But since they were young and still working on their PhDs, their university, New Mexico Tech, was getting worried that they might unknowingly run afoul of compliance regulations. So, they were assigned a mentor named Mark Fidel who was an attorney with a business background to guide them. It was at this point that Ram, who was working in Silicon Valley at the time, entered the picture. Dr Srinivas reached out to him and asked for help in setting up a formal company and to improve the performance of their software. Together they identified Vulnerability Management as an emerging sector and redirected their efforts there.
Their starting point plan was to find a client in New Mexico where they were based, but once word spread their client list started growing across the US. To grow globally their decision to rely on partnerships since cybersecurity sales is a complex process. Eventually, Ram moved back to India to found Cyber Security Works (CSW), a cybersecurity services company. CSW started distributing RiskSense to all their clients in India, UAE & Singapore. Most recently they entered Sri Lanka through their local partner TekSek Cyber Security.
How did they find product-market fit?
The session then moved on to a conversation about how they identified their target market and the problems that they wanted to solve with their software. Both speakers were very frank and open about how grew from their first $300 contract to a $1 million in revenue.
Fragmentation
Through their research work and their engagements as ‘Strike Team’, they were in contact with many information security managers. They understood that these professionals were facing a huge amount of trouble trying to get a comprehensive picture of their attack surface. This was because different tools were needed to scan the seven different classes of assets they needed to protect; namely SAST (static application security testing), DAST (dynamic application security testing), OSS (open-source software), Apps in Runtime, Network, Cloud & Containers.
A-Ha Moment
Information Security teams were in what Dr Srinivas described as “spreadsheet hell”. They were being overloaded with information which had no context and was being given an endless list of issues to fix with minimal resources. That is when the team realized that they could automate this process and solve a huge pain point. This is when they became one of the first companies to follow the concept of Risk-based Vulnerability Management (RBVM) and created a new market segment.
Validation
While the concept of RBVM took many years to take hold, the founders were undaunted because they trusted their vision for the future of security. This determination paid off in 2020 when Gartner named RVMB the second most project IT departments should take on, beaten only by ‘Work From Home’ initiatives.
Key Learnings
Digital Economies of Scale
A key take-away was how they were able to leverage the power of automation & economies of scale to be able to provide 100% scan coverage, with 400% increase in scan frequency but still charge 70% less than competitors.
Staying Operationally Lean & Saying No
They also illustrated their thought process behind killing product offerings. 30% of their revenue came from Incident Response services at one-point but they decided to stop it due to its labour-intensive nature. This allowed them to concentrate on their main business, Risk-Based Vulnerability Management. This singular focus allowed them to scale up and go global while constantly improving their product.
A few members from the banking sector asked questions about installing their software on-premises instead of on the cloud. The same answer was given, the cost of maintaining customized on-premises software means that cost increases for the company as well as the customer, while also slowing down access to updates. So, they migrated all their legacy on-premises customers to the cloud offering which is certified for use by the most sensitive customers in the world, including the US Military.
University & State Backing
The importance of university support, which allowed them to keep their teaching jobs while building a company after hours was a recurring theme. Although they were very thankful for this lifeline, they did observe that since they had to give away a 50% stake to the university, they did have trouble when raising outside investment. They directed attention to universities like Harvard & Stanford that take only 6% stake.
Summary
What we learned from this session that there are many segments of cyber-security and niches are emerging every day. Demand is global and all founders should look at positioning their products in this space as a great way to scale up. Any Sri Lankan start-ups building cybersecurity or related products are invited to get in touch with the SLASSCOM Cybersecurity Centre of Excellence to receive support. Please write to them on: cscx@slasscom.lk