Bootstrapping Using Services First, Raising Money Later: Rohyt Belani, CEO of PhishMe (Part 3)

Rohyt Belani: Just to lay it out, Farm Stone was acquired by McAfee. I worked there. Then I worked at Mandiant, which was acquired by FireEye. The group I had founded with Aaron was also acquired in 2012. Along that journey at Intrepidus, we had already come up with the product idea for founding PhishMe. PhishMe has been around since early 2011. It had a bit of an overlap with the Intrepidus Group. We’re coming up on five years of existence this January. We’ve set out to solve a problem, which is still the problem of the day when it comes to cyber security, which is targeted phishing attacks.

Sramana Mitra: Let’s go back to five years back when you were starting PhishMe. You had already gone through several exits, whether you co-founded or not. I presume that you, at this point, had a bit of capital available to yourself?

Rohyt Belani: We actually bootstrapped the early days of PhishMe because it was incubated inside of Intrepidus Group. Intrepidus Group, as I’ve said, is a consulting company. We had three cash flows to fund PhishMe to a certain point. Then in mid-2012, we actually did raise our first round of capital for PhishMe.

Sramana Mitra: Essentially, the strategy that you followed is something that we have a name for. We call it Bootstrapping Using Services. We have numerous case studies. If you look at our entrepreneur journeys series of books, there is one called Bootstrapping Using Services. We’re very familiar with that strategy. Let’s double-click down on that. The product around which you built PhishMe, how much of that was fleshed out while you were consulting? Did you have a consulting client for whom you designed this product and preserved the IP rights?

Rohyt Belani: It wasn’t a consulting client who asked us explicitly to build that. What was going on was, we had several consulting clients who were dealing with the spear-phishing problem and were repeatedly asking us to run phishing simulations against their employees to tell them where they stood. They wanted metrics around their security posture around the human beings of their organizations. We started developing scripts and little tools initially to automate the process. What we realized was that while we could create a production-level product out of it, the goal was not just to collect metrics.

When we looked at the metrics, it painted a sorry picture year after year. We said, “How about we use this approach to solve a problem by making it immersive education?” You simulate an attack. When someone falls for the attack, you give them 60 to 90 seconds of very engaging on-the-spot education relevant to that attack. You still collect the same metric on the back end. You do this more often than once a year. It’s a repeated immersion, which in learning theory, is a well-known technique to get a point across. We realized that we were on to something. We were actually changing the behavior of people and proving it through metrics rather than just presenting metrics to showcase how bad the problem was.

This segment is part 3 in the series : Bootstrapping Using Services First, Raising Money Later: Rohyt Belani, CEO of PhishMe
1 2 3 4 5 6 7