Kevin Hickey is the president and CEO of BeyondTrust. He’s also one of the nicest guys you could ever hope to meet. Sat against a backdrop of the beautiful mountainous desert, in his office in Phoenix, Arizona, Hickey told Eleanor Dallaway what the key to retaining good infosec people is, and why, despite his reputation for M&A, BeyondTrust is different…
I first met Kevin Hickey at a pool party, hosted by BeyondTrust, in Vegas. In shorts and T-shirt, he mingled with his guests, giving time to, and showing genuine interest in, each and every one. How many CEOs can you say that about?
So, as I turned up at the BeyondTrust office in Arizona, I had high expectations for my interview with Hickey, and I wasn’t disappointed. Afterwards, I went for dinner and drinks with him and some of his senior exec team, and realized that a lovely CEO must attract lovely staff. I had a lot of fun that night.
Kevin Hickey’s reputation for capital fundraising and mergers and acquisitions precedes him, and as soon as I raise it, he says, “You’re right, I get called on this a lot.” And he doesn’t mean by journalists. “No, by people interviewing with us because they’re concerned about what I’m going to do,” he admits candidly.
So where does his aptitude for growing, selling, and M&A come from? “Ever since I left IBM and went to a company called Viasoft,” he begins. “It was a $6 million company and we turned it around, took it public, and I learnt very early on that I get excited about the structure of building something, growing something.”
But what’s the formula for success? “It’s really simple, you invest in me, in the intellectual property, and you make sure that you have great technology.” Great technology attracts great people, he adds.
And thus far, it has worked out pretty well for him. Hickey has applied said formula at Viasoft, NetPro and eEye Digital Security, which was acquired by BeyondTrust in 2012. eEye was Hickey’s first pure-play security role, and he recalls that he very quickly realized “that if you really understand and get to know the [information security] sector, you’ll have a career for life. This sector is not looking for people that just want a job.”
High Hopes
So when Hickey joined BeyondTrust by way of the company’s acquisition of eEye Digital Security, he had high hopes of taking the newly merged company to the “next level.”
“I knew right away that what I’d like to do is sell to a private equity player. It was a group that I wanted to build and continue with,” he explains. And sell to a private equity player he did – in September 2014, it was announced that an affiliate of private equity firm, Veritas Capital, would acquire BeyondTrust from private equity and venture capital firm, Insight Venture Partners.
“We sold the company, but there wasn’t one change other than the fact that we have a new investor who’s looking at it from the view that they want to build a really strong security software company to take public, and they want to do it the right way. It’s a new partner with fresh eyes looking to build, and build out.” And the right way, according to Hickey, is to “continue with the company, add to the top line, and invest back into the business.
“We invested a lot in the intellectual property, came up with some really solid solutions, and really started to add value.”
The investment has been reflected in the numbers, which has seen margins grow to north of 35%. “If you look at our competition, even CyberArk or Qualys, they’re in the high single digits or low teens,” he compares.
With a strong alignment to M&A activity, I ask Hickey for his opinion on the current M&A landscape in the information security industry. “I think you’re going to see a lot more consolidation in this sector. Customers have more vendors now today than they ever had. But I do believe, with all the pressure put on CIOs and CISOs right now – and the old adage, you never get fired for buying IBM – I think they’re looking for people that have a platform, substantial revenue, and success.”
As a result, explains Hickey, questions are posed about what kind of vendors CISOs really deal with and put their confidence in, which will result in a lot of consolidation. “You’ve got to believe that consolidation is healthy, and that innovation is not going away.”
Innovation is, however, hard to come by in the bigger companies. “They acquire, they don’t innovate, but that’s just their business model – they know that innovating themselves would take longer.” Information security, however, is a very healthy sector which relies on this very innovation, he adds. “We’re being attacked and we don’t even know it, it’s ‘if’ not ‘when’, and there are even tools for hackers now,” Hickey adds, clarifying the exact extent of the size of the (infosec) prize.
"If you really understand and get to know the [information security] sector, you’ll have a career for life"
When the People Rule
And in order to truly compete for a decent slice of that infosec prize by staying relevant and staying ahead, you better have yourself a staff full of assets, Hickey tells me. “Just look at my team – Marc, Brent, Mike – they have a lot of passion for this industry. We’ve got guys and gals that are so driven, and that’s hard to find in bigger companies.”
But in a highly competitive industry with vendors fighting for the brightest talent, how does BeyondTrust attract – and more importantly, retain – talent? “You have to have a culture that is exciting and promotes clarity: tell people what’s expected of them, and let them do it. Let them run their business, because when they have passion, they’ll do it the right way,” continues Hickey, who has a policy of hiring people “much smarter” than he is.
“Surround yourself with really bright, good people, and make sure objectives are exceedingly clear.”
But that doesn’t mean it’s all smooth sailing, counters Hickey. “We fight like you wouldn’t believe, but it’s out of respect. You don’t battle with somebody that you don’t have a lot of respect for, you just kind of walk away.”
The key to good people, he says, is building an environment and a culture that people want to be in, and of course, rewarding people appropriately. “People want to work where they’re appreciated, where they feel like they have true input, and I hope that’s what we’ve created here.”
Hiring Hackers
I’m particularly keen to talk to Hickey about one specific member of his talented team: Marc Maiffret, the company’s CTO, an ex-hacker with an impressive resume which has seen him testify before the United States Congress on matters of national cybersecurity and critical security threats three times.
Whilst no doubt an incredible asset to the BeyondTrust team, I ask Hickey whether he was ever concerned about hiring someone who had once donned a black hat. “When Marc was 16, the US government said to him: ‘Either come help us, or we’ll give you free rent,’” Hickey laughs. We can all read between the lines of that ultimatum.
“Today’s hacker does it for financial or political reasons, true cybercriminals. Marc was different; he was that brilliant, and was doing it because he could. It wasn’t malicious, just a little mischievous, and it was purely recreational, it wasn’t to hurt his country. Marc then decided to build a product to stop guys like him. How many hackers were actually going out and starting a business to stop guys like themselves? You’ve got to be pretty confident, and that’s how you know the caliber of person you’re getting.”
It’s for these reasons, explains Hickey, that he actually views Maiffret’s colorful history as a positive. “He brings such a passion and a love for what he does. You also have to look at the personality of who you’re getting; give Mark three or four beers, and he’ll start crying about how much he loves this company and the space.” Well actually, Marc joined us for dinner that very night and I can confirm there were no tears, despite the flowing drinks. But his passion for the industry is undeniable, and as for his personality, he’s an absolute diamond.
“Every case should be an individual judgement,” adds Hickey, referring to policy on hiring ex-hackers. “You can’t throw a generic cloth over something and say, I don’t want to hire a hacker. Just look at the case, the timing, what were they doing, what they have done since. Ask what their ultimate goal is.”
In addition to his technical expertise, Maiffret “brings common sense to the equation. He can make boards understand technology by bringing it down to the right level so they can assist in policy. It’s so unique to find someone who really understands the depth of the technology and what he could do with it, and then also understand the business.”
So, having endearingly enthused about his entire staff for a considerable amount of time, I ask Hickey whether the apparent skills gap we talk about so frequently in the industry is perhaps exaggerated. “It’s definitely a real thing,” he says, “but there’s a tremendous amount of talent that can be found, stolen, but also nurtured and grown.” When I ask for more detail on ‘stealing’ talent, Hickey confesses: “We look for companies that aren’t innovating like they used to, or ones that have been gobbled up, and I’ve got to tell you, when we find [a company] that has been acquired, oh, we’re bad. We are all over those guys.”
750 Miles from the Valley
BeyondTrust HQ is in Phoenix, Arizona, 750 miles east of Silicon Valley. Whilst BeyondTrust’s finance, accounting and sales are all handled from Phoenix, R&D happens outside the Grand Canyon State. “You know, you do miss an awful lot being here, I will say that. You miss a little bit of the buzz, the edginess, and pushing-the-envelope type pieces. But what we gain from being away [from the Valley] is more focus on the solutions.”
Hickey finds himself in the Valley on business every other week, for two or three days at a time, but is more than content being based in Arizona for nine months of the year. The other three – in the height of summer – are spent in his home in Coronado, California, a little island off of San Diego, which he very kindly offers me the keys to, if I ever fancy a vacation out there.
I get the distinct impression that Hickey is a man who has a very admirable work-life balance, and has passions outside of work that rival his passions within the BeyondTrust walls, including golf, fine wine, and family.
Thank You Snowden
So, what’s next for BeyondTrust, I ask Hickey, the man who – on paper – always has his next move planned out. “I want to be seen as a true leader in the privileged space, data intelligence space, and the whole analytics piece.
“The days of having a vulnerability scanner without intelligence is a thing of the past. You have to give people good threat intelligence; boards and CISOs will demand it. So I really want to go after and take this privileged space, and be seen as just one of the true innovators and leaders.”
And the privileged space is one that, since Snowden, has well and truly earned its place on the map. “I think we had 80% belief in the company that we’re doing the right thing, then Snowden happened, and things started to take off.
“Snowden helped create a sector for privilege that is now arguably one of the faster-growing areas in security.”
Once you lead and innovate in a space, Hickey says, “it gives you flexibility. If you do something really well, and build a good reputation, it allows you to get to the next level, and it gives you flexibility to do what you want to go do.”
At this point, Mike Yaffe and Brent Thurrell, two of Hickey’s senior leadership team, enter Hickey’s office. “I’m sure this is real interesting and everything, but let’s go get some drinks,” says Yaffe. We laugh and Hickey rolls his eyes, it’s clear to see just how well everyone at BeyondTrust gets on. I guess that’s the culture that Hickey and I discussed earlier.
Kevin Hickey, it has been a pleasure. Now, let’s drink wine.
This feature was originally published in the Q1 2015 issue of Infosecurity – available free in print and digital formats to registered users