Some comparisons between business and sports are cliché. But when it comes to leadership in cybersecurity, having a CEO who knows how to play defense can be pretty relevant.
That bodes well for ObserveIT, a Boston-based security tech company focused on stopping insider threats. In March, the firm brought on a new chief executive, Mike McKee, who had been senior vice president at Rapid7, and before that, had spent more than a decade at PTC, the Massachusetts-based design software company. (Several prominent CEOs have come out of PTC—Brian Halligan of HubSpot and Jim Baum from Netezza come to mind. Something about the sales-driven culture there, perhaps.)
One thing that sets McKee apart is his pro sports background. He was drafted out of Princeton in 1990 by the Québec Nordiques of the National Hockey League; he was a defenseman in the team’s system until the mid-90s. (The Nordiques later moved and became the Colorado Avalanche.) An NHL trading card from the ‘93-94 season says “his poise, intelligence and skating skills are his biggest attributes.”
After retiring from hockey, McKee worked in finance, went to Harvard Business School, and hooked up with PTC, where he climbed the ladder in sales, services, operations, and strategy.
Rapid7 was his first direct experience in cybersecurity. McKee joined in 2013 to build up the company’s services organization, which has since become a big part of the business, along with vulnerability testing and incident detection. The job was a crash course in both cyber threats and management psychology.
“In most businesses, you’re up against competitors, and you have to figure out how to do better than them,” McKee says. “In security, you also have hackers and the whole underworld of the dark Web.” (Maybe a bit like having fans or league officials who can actually control the game.)
What’s more, he says, unlike other types of enterprise software, the underlying technology in security is “always changing, the threats are always changing… It’s like you’re playing different teams—one day it’s the Swedes, then the Russians, then the Finns.”
Yet another hockey parallel (then I’ll stop) is the meshing of different personality types on a team. McKee says Rapid7 did a fair bit of psychological profiling to match its executives with different roles. “It makes a huge difference in terms of being able to work together,” he says, adding that “goalies are always weird.”
For its part, ObserveIT (pronounced “observe it”) got started in Tel Aviv in 2006. The 100-person company was bootstrapped until about three years ago, when Bain Capital Ventures invested $20 million. That led to the company moving its headquarters to Boston, while maintaining offices in Israel. And it was Bain that approached Rapid7’s CEO Corey Thomas about poaching McKee, after Rapid7 had gone public—the Boston area’s only tech IPO of 2015. Bain was Rapid7’s lead investor as well, dating back to 2008.
ObserveIT’s co-founder and CTO, Gaby Friedlander, has a background in IT forensics and troubleshooting. He started the company to focus on insider threats to cybersecurity—for example, employees who do things like use unauthorized servers or send company files over Gmail, either with or without malicious intent.
Most insider threats seem to be unintentional. Friedlander says most employees “care about doing their job more than being secure,” and that “the unintentional is happening on a daily basis.”
ObserveIT’s approach is to monitor what users and employees are doing on their computers, educate them about risky behaviors, and either block them or suggest alternatives as necessary.
The company’s software sits on a server or desktop computer and takes screenshots of what employees are doing; it can send them alerts when it detects risky behavior, like downloading an unknown file. The shots can be played back later to see what happened, if there’s a security incident. Employees are also “risk-scored” and compared to others in the organization, with trends over time mapped out.
Employee privacy is an obvious issue. But at this point, companies seem willing to do whatever it takes to minimize damage, so long as they operate within state and federal laws. “Ten years ago, we heard ‘Big Brother’ all the time,” Friedlander says. “Now there’s none of that.”
Other security companies with related or complementary approaches include CyberArk, Cybereason, Trusteer (part of IBM Security), and AlienVault.
ObserveIT says it has about 1,000 active customers across financial services, healthcare, insurance, and other sectors. Its revenues have grown significantly over the past five years, McKee says, and its sales have been shifting from primarily international to more geographically balanced (about one-third is in North America now). That tracks roughly with the staff’s distribution—about 60 in Tel Aviv, and 40 in Boston.
McKee and Friedlander are convinced that insider threats are the right focus to have in the noisy landscape of security. But McKee acknowledges that his company needs to boost “brand awareness and recognition of what we do.” One challenge is that most customers don’t have a dedicated budget for insider-threat security—they just want better security, period.