Podcast Season 1 Episode 1

Brendan Hannigan: Sonrai Security CEO

In this episode, Marc talks with Sonrai Security’s Brendan Hannigan, on how he went from security guard on a Jack Nicolson movie set, to cybersecurity CEO. Trained as a coder, learn how his early days at Forrester Research honed Brendan’s skills in understanding marketplace fit and fueled his passion to go out and start building things. Brendan went on to lead Q1 Labs until they were acquired by IBM, where he joined as the GM of the newly formed IBM Security. That journey lead him to his current role, CEO of Sonrai Security, where he and his team are changing the way organizations secure the cloud.

You’ll also learn about:

  • Why the complexities of being a Cyber CEO haven’t changed in decades
  • The origins of the term security intelligence
  • The fulfillment of saying «OK sure, I’ll try that»
  • Why CISOs may not need to «shift left» but they have to shift somewhere
Transcript

Marc van Zadelhoff: Welcome to «Cyber CEOs Decoded,» where we speak with CEOs from established security giants to up-and-coming disrupters, getting the inside track on what makes a cybersecurity company tick. I’m your host, Marc van Zadelhoff, the CEO of Devo. And today my guest is Brendan Hannigan, CEO and co-founder of Sonrai Security, enterprise partner at Polaris Partners and previously the GM of IBM Security and CEO of Q1 Labs. Brendan also has had the dubious honor of being my boss for four years of his career back in the day. Brendan, welcome to the show.

Brendan Hannigan: Hey. It’s really nice to be here, Marc.

Marc van Zadelhoff: I’m really looking forward to this. You know, Brendan, as I mentioned in the intro, I have had a chance to work so much with you when we were both at IBM Security. And this podcast is going to be my chance to finally ask you all those questions I never had a chance to ‘cause we were so busy back in the day. So, Brendan, you’re the CEO of Sonrai Security, a rapidly rising player in the cloud security space. And we’re going to spend some time on that later.

Marc van Zadelhoff: You’re the founder and CEO there. But I want to take a step back and go way early in your life and career because I think it’s nice for people to get a sense of the origin of the CEOs in the cyber space. You are not from the U.S. So where are you from? Where’d you grow up? Tell us a little bit about your early days.

Brendan Hannigan: Yeah. I’m – so I’m an Irish guy. I grew up in Dublin. And I went to university in a great esteemed institution called University College Dublin – went, actually, to study science, not computer science. And I wanted to – I started physics and chemistry. And they made me take a Fortran programming course in my first year.

Marc van Zadelhoff: Wow.

Brendan Hannigan: And that mandated Fortran course – I think VACs or something – was what got me into computer science. I quickly firstly became addicted to it and just loved it from that moment till this very day and realized physics is really hard. And chemistry – those experiments are really hard to get right. So I just really gravitated to this whole world through that moment.

Marc van Zadelhoff: I’ve been helping my 14-year-old daughter with her physics homework as a freshman in her high school. And I can relate to how hard physics is. I think that’s the wise choice. Now, do you ever code today? Are you still coding ever, Fortran or anything like it?

Brendan Hannigan: It’s been a while, actually. There was a time, you know, where, you know, my wife would have some problem, and I’d have to get out my coding chops and go back to my C programming days. I was a pretty solid C programmer. But it’s been a while. However, as you know, as time goes on, when you get into a macro and spreadsheets, it’s kind of like coding. And I’m damn good at those, too, actually. And so…

Marc van Zadelhoff: OK.

Brendan Hannigan: …I’ve transferred my skills to a different realm.

Marc van Zadelhoff: And if you think back to your growing up in Ireland – is lots of things we could ask about there. And I love Dublin. I had a chance to work there one time for three months – and fantastic city. What was your first meaningful pay job that you had? What’s the first job you had where you earned some money?

Brendan Hannigan: Yeah. So I – very first set of jobs, actually – it’s related to how I ended up coming here – was – maybe they weren’t quite meaningful. But I worked for a summer while I was in university in Boston. And I had meaningful pay jobs in Aris Barbecue in Faneuil Hall and in a variety of other very minimum pay jobs for the entire summer. Spectacular. It was actually my first job in security, too. I worked for Pinkertons – and marching around Tremont Street and doing other strange things. But that was my first time where I was actually really getting truly paid ‘cause, you know, jobs were few and far between at the time back then in Ireland.

Brendan Hannigan: But when I graduated, I actually first worked for Digital Equipment Corporation in Ireland. And I was writing software. At the time, the great innovation was for a terminal server. And it was basically moving the innovation curve up from an 8-port terminal server to a 16-port terminal server and going from 9600 baud to 19.2. And, Marc, a lot of people listening don’t even understand what a baud is. But that’s OK.

Marc van Zadelhoff: Yeah. Yeah.

Brendan Hannigan: That’s where it started.

Marc van Zadelhoff: I might say, myself included. But back in the day – so you started then. And, yeah. Pinkerton, by the way – you throw that out there, but I believe you were in physical security in that job, right? You were in a uniform guarding a building. Is that – was that your first exposure to the word security in any way?

Brendan Hannigan: It was. And it was a thing where you were always looking for the best job to get slightly more money. And this particular job was promised to me to – you know, it was a really cushy job being – you know, checking IDs into the subsidized cafe at Liberty Mutual. But before they let me into the cushy job, they had a task for me to do a 24-hour tour of duty in the combat zone, protecting Jack Nicholson’s movie studio cab. And I was in a Pinkerton uniform marching around. Thankfully, I had a Marine beside me because of – the only thing I could have done was run if I get into any trouble.

Marc van Zadelhoff: (Laughter).

Brendan Hannigan: That was my first job in security and physical security.

Marc van Zadelhoff: But you went back to Ireland. You started working for Digital Equipment Corporation. How did you end up moving to the U.S.? – ‘cause you’ve lived here for quite a long time.

Brendan Hannigan: Yeah. So I’ve been here now since 1990. And I had a really wonderful time working for Digital. Nearly every job I’ve had – I’ve always look back on it very fondly. And that one I look back on very fondly. But ultimately, I started to just want to get to a new challenge. And at that time, I actually ended up seeing an advertisement for a job in the eastern part of the United States. It was in a British newspaper. And I was thinking of the places I could go to get the most challenge in my career. And I was looking at emigrating to Australia.

Brendan Hannigan: And then I saw this job. And I actually ended up going over to London, interviewing for it, and I got it. And it was basically, again, writing software for switches, in that instance, for a company called Motorola Codex. And it was a frame relay/cell relay switch. So I came over here. And that was, you know, three years after graduating college, working in the Boston area, initially for Motorola, then for Wellfleet Communications, again, in routers – so amazing wonderful early jobs in my career. And I always knew I wanted to be in the United States from that summer working here. And just the technology sort of fervor that was in Boston was just a phenomenal thing to be a part of. And you just learn a lot very quickly. And so it was spectacular. I knew. I go back home. I love going home. I go home every year. But I knew from the moment I came here I was going to stay.

Marc van Zadelhoff: And so a walk us through a little bit ‘cause you and I met up, obviously, when you were at Q1 Labs. But from Digital Equipment to Q1 Labs, straight shot? Or you had a couple of things in between there, I think.

Brendan Hannigan: Yeah. I mean, actually, probably the most interesting one – and it is in – it’s nontraditional actually ‘cause I was really developing some very technical products. And I actually joined Forrester Research.

Marc van Zadelhoff: Yeah.

Brendan Hannigan: And I joined in the network group. And then I eventually ran the network and security practice at Forrester. And it was an amazing time. It was at the end of the ’90s, and if you can imagine. We forget sometimes just the unbelievable cauldron of change which was happening around switching and routing and the adoption of Ethernet and the domination of Ethernet over Token Ring. You forget all these things. And that was happening at all of that time – at that time. And I was basically kind of in the middle of that melee. And it was fun. I learned a lot, I have to say.

Brendan Hannigan: I – it was a boutique firm at the time, but it was extraordinarily demanding. And it was a really great group of people. But what I actually got out of it, which was phenomenal, beyond the technical aspects of our business, was the complexity of understanding and marketplace, the complexity of positioning into that marketplace and the critical importance of being able to communicate and tell a story in our business so that you can actually get people to consume what it is we’re trying to get them to consume. And that really changed ultimately. It was a really big and important part of my personal journey to get me from being extraordinarily technically competent to actually get more other parts of my brain working.

Brendan Hannigan: From there, actually, Marc – you know, in 2003 – I had another job in between, but the most important one was in 2003. I met Sandy Bird. And I ended up joining Q1 Labs, initially not as the CEO, actually. Initially, I joined as the COO. I was running marketing. I was running the technology business. I had it all kind of run against me. But eventually, I became the CEO of that company. And we built that company for eight years as an independent entity. And that was a great journey.

Marc van Zadelhoff: Briefly forgotten about your time at Forrester, actually, when I asked a prior question. And there’s quite an amazing alumni network that’s come out of Forrester, I have to say. And, yeah, you must have really – did you like being the – I mean, that’s a pontificating role, right? You have to write. You have to have an opinion. You have to present it. You have to – an opinion even if you don’t have one. Did you enjoy that?

Brendan Hannigan: I did. It was, you know – so the Forrester team at the time, driven by George Colony – I mean, it was just relentlessly focused on, you know, the quality of the research and the quality of the writing. And there was a particular technique that they really drove through to people to basically really force them to have an opinion, make a call on the marketplace and really be able to communicate it. And honestly, that’s a really hard thing to do. That’s not a straightforward thing to do. And when you have, you know, 20 peers reviewing your work before it actually goes out, it’s kind of relentlessly tiring, actually, but excellent – just really good.

Brendan Hannigan: So I did actually enjoy it. It was never going to be my long-term career. That’s what I realized for it. But while I was there, I really, really enjoyed it. And I learned a lot. And I loved interacting with people. Eventually, though, if you’re good at and if you enjoy building things, well, then you got to be in a company building things. You just can’t…

Marc van Zadelhoff: Yeah, yeah.

Brendan Hannigan: You’ve just got to be in a company building things ‘cause otherwise you just get too frustrated.

Marc van Zadelhoff: It’s like a spectator versus being an athlete, maybe.

Brendan Hannigan: It is a little bit. And it’s not that those aren’t great businesses ‘cause they are. But there’s times where you just really want to get in the melee, and there’s nothing better than starting a company or being a part of a smaller company to try – to be in that melee.

Marc van Zadelhoff: Yeah. You and I share – and I remember this from when we started working together – a huge passion for writing and messaging and strategy, I would say. And I’m realizing now that you honed those skills at Forrester. I had a time early in my career when I was a strategy consulting and had an editor breathing down my neck – guy called Jon Webster, who’s an amazing, amazing guy. And I remember when I first started working with you, it was unusual to have somebody who you would really engage on things I wrote and have a red pen of your own and engage on that. And you and I had a lot of fun on that. I remember that very well, is when I started to work with you, you really got into the text and into the writing.

Brendan Hannigan: It is. And actually it’s true today, Marc, isn’t it, though? Even I’m sure in your own role, writing your own – it’s still hard. It’s still hard. I mean, it’s not like you just go into a situation; oh, I got it. It’s every – you’ve – suddenly you’ve got a secret code for figuring these things out. Every situation has a new set of complexities, customer complexities, technology complexities and the messaging, the positioning and bringing it down to consumable stories is a substantial challenge in nearly every business. That takes a lot of time.

Marc van Zadelhoff: Yep. Now, I spend a lot of time there with our marketing team, and I love it. And I’m sure that I’m sometimes not always loved by all my comments and critiques in it. Q1 Labs – I want to spend some time there. What an amazing company. Kind of get to the part where you and I converge was I was at IBM forming the IBM Security business. And we acquired Q1 labs. And that’s when you and I started working together. But as you said before that, eight years at Q1 Labs – you guys grew that business to hundreds of employees with Sandy Bird, who you mentioned, and the very talented team there.

Marc van Zadelhoff: Give us a sense there of being there, of growing that business, some of the milestones there. I mean, for example, raising funds – was that the same funding environment back then as it is now, where you – you know, it’s changed a little bit in the last few months – but where there’s so much money circling for investments? Or was it a different environment? Like, what were some of the things that were difficult and easy in that role?

Brendan Hannigan: You know, so the business itself, like everything, you start out with a particular idea. In that case, which, you know – many people, it’s long forgotten – we started out in a business which was primarily focused on network analytics and the discovery of threats on networks doing flow and analytics. And the acronym at the time was NBAD – network behavior anomaly detection – and very important technology, absolutely critical for detection of insider threats, but not a technology where people have established budgets. And so it was hard revenue all the time.

Brendan Hannigan: So what was the hardest thing? The hardest thing was having a technology which clearly had value, was very important, but for which there was not a slot which was well-established from a budget perspective, because it’s kind of frustrating. You go, hang on, we – you really do need this. But customers didn’t realize it. And that’s just a reality of what can happen in so many instances. And so we actually had to grind through a number of years where we’re basically working with that technology, winning some leading-edge companies, while, actually, we established a strategy to say we took a step back – try to do this all the time. But we took a step back and said, what is it we’re trying to solve?

Marc van Zadelhoff: Yeah.

Brendan Hannigan: What is the problem of the customer? And this is the light bulb that went off in our head, is to say, you know, we’re just doing analytics on data which we’re collecting. And the purpose of our analytics is to go and find a security threat or some sort of a risk. Well, why is our technology restricted? Why are we restricting our offering to customers based on the feeds of data of a particular source? Why don’t we just solve the entire problem? – which means, boy, we’ve got to collect way more things. And we sort of invariably said, look, that SIEM marketplace is kind of weird. They collect events. They don’t collect anything else. It’s kind of messy. It’s complicated. Well, why is that separate? And so we built a more expansive platform – took us a couple of years. Totally – you know, we look back on it and say, wow, that company really sort of nailed it. Well, sure, but it was up and down quite a number of times. When we got into that marketplace first, we were in the lower left-hand losers quadrant of Gartner.

Marc van Zadelhoff: Is that what it’s called? Is that the official name?

Brendan Hannigan: It is, yeah. Lower left is big L. And we – but we really believed in our vision, Marc, and we were – we just believed in it. And we just built out – we coined the term security intelligence. We bought the URL for it. And as time went on, you just realized, wow, not only have we positioned into the marketplace, but actually, it’s differentiated in a way that’s lasting for years. So what I would say – what’s the hardest? That was hard. That was really hard.

Marc van Zadelhoff: Yeah. I mean, that’s – nowadays, the cool term is establishing your product market fit, right? That’s what we call that nowadays. But that’s basically – that anecdote is you getting to that point, where you had a business that was selling, but until you really nailed it to the SIEM use case, and then you saw the growth go, right?

Brendan Hannigan: Yes. And establishing a product market fit – sometimes we think that that’s, like – it sounds easy. Oh, we’re going to sell a few things and tweak a few features. No, it’s (laughter) – sometimes it’s total brain surgery and surgery because that’s what it takes. And so – but that was the hard part. The things that weren’t hard? It was fun. We had good people, and we just had a lot of fun while we were doing it. It was always fun along the way. But you just have to stick with it, too. We had a lot of – you know, we stuck with it and the team stuck together. And so that’s what was fun about that.

Marc van Zadelhoff: Awesome. I know my side of the story at IBM – we were thinking about building a new business called IBM Security, and we saw the SIEM – an SIEM product like yours as the linchpin of that strategy. So it was quite clear for us that we were in love with the space and quickly fell in love with Q1 Labs. Was it obvious for you guys that selling and joining IBM or, you know, selling the company at the time – was that kind of your preferred choice, or did you guys have other thoughts of what to do with the company?

Brendan Hannigan: We did. I mean, we had a lot of different options. You actually asked a question about – was fundraising difficult? I mean, some – fundraising environment then was very different than it is right now. The valuation mechanisms were different. The milestones and expectations were different. So in some ways, in theory, it was harder. But it was never – we were always – whenever we needed capital. In the case, then, of IBM, I actually tried to characterize our objectives. I was interviewing an employee yesterday, and he was saying, so what are your goals of your business, the current business we’re trying to build? And he said, do you want to double it? Do you want to triple it? Do you want to go public? Do you want to do this? And I said, we don’t measure our goals as a company and as human beings by those metrics. That’s not the way we do it.

Marc van Zadelhoff: Yeah.

Brendan Hannigan: We actually say, what are we trying to do for customers? And then, where do we want to end up, you know, in our place, in the business? And in that instance, we wanted to scale the business and we really felt we had an amazing technology, and we really felt we could be No. 1 in the business. And then you say, what’s the mechanism? Capital is one way to do that. And then what’s the other mechanisms? And we felt, at that time – you know, IBM has many challenges, to say the least, right now. But at that time, it was – I called PEAK IBM for perpetual software. We were selling perpetual software.

Marc van Zadelhoff: Yeah.

Brendan Hannigan: And PEAK – you know, it was a very effective machine for selling that type of software to large businesses. And we made the bet that it was worth making the investment because we could take something we’d worked on for a long time, and we felt we could establish ourselves as the No. 1 in the marketplace. That’s why we did it. That’s the discussion we had. That’s what I said when our company was bought, Marc, if you remember. I said, look, we came here to be No. 1, and we feel that this can accelerate that process. And it did. And we became No. 1.

Marc van Zadelhoff: And that was a fun ride. You went from being CEO – and I watched that very closely because I was assigned to join your leadership team. But you went from being the CEO of a company – kind of the biggest fish in a smaller pond – to being the general manager of IBM Security. I mean, there must have been some culture shock for you coming into IBM, some shock on the span and control. And, I mean, what was that like? There must have been some humor and dismay in addition to exuberance in that phase of your life.

Brendan Hannigan: You know, these things happen in life which are interesting, right? So that – I remember when the acquisition – we had agreed on the acquisition. The acquisition’s going forward. And then you would remember, as well, Robert came down – you know, one of the senior vice presidents of IBM came down – came to Massachusetts – came up to Massachusetts to visit me for lunch. And I was like, that’s kind of interesting that this SVP’s coming up to visit Brendan for lunch. And over that lunch, he said, Brendan, we’re going to start this division. And, you know, Marc is a big part of form this division, but we would like you to be the general manager and to run this division. And I actually, honestly, thought at lunch, I’ve never done that before. I’d like to try that. That’s – sure. You know, was surprised and I was like, OK; sure. I’ll try that. And I had a great experience. It was all of those things you described.

Brendan Hannigan: I mean, there was times where it was like, what the hell have I done? Why did I do this? But that’s like every time, you know? Any time I start a home renovation or we get something going, I always go, this is exciting; this is going to be great. And two months later you go, what the hell are we doing this for? This is just a mess. In reality, there were times where it was complicated. But you just come back to the same leadership principles. Do you have a great team? Do you believe a division? Can you put things together? IBM gave us a lot of support. They put a lot of very senior people into our team. And as you well know, that business grew to be a very large business. So it was very fulfilling. I believe the following. This is the magical thing about software companies, cybersecurity companies, and especially smaller companies in our business.

Brendan Hannigan: I tell people all the time the analogy to sailing. If you sail a 420, which is a small, single-person or two-person boat, or if you sail an opti, which is just a single-person boat, you have to learn to sail the entire thing. You know how to tack. You know how to move the boat. You know how to understand the wind. Where, if you’re in a big, huge boat, and that’s the only place you’ve ever been and you’re just in one aspect of sailing it, you actually can’t sail the entire boat. The beautiful thing about leadership is you can look around and get the tools you need, and we had the tools we needed to be successful in the bigger organization. And it worked. And it worked for us, and it worked for me. It worked for our team, and so it was a phenomenal experience. I mean, I still prefer innovating in a company like at Sonrai or Q1 Labs. It’s just way more fun. But that was great fun. It was a great experience.

Marc van Zadelhoff: That’s awesome. Well, we spent, I guess, four years together there, and then you moved on. I got to take over that business after you left. But sticking to your story, in the end, that was 13 or 14 years of your life if I do the math – right? – the eight or nine years at Q1 Labs and then the four years at IBM. And so how were you feeling at the end of that? Were you exhausted? Were you exhilarated? Did you need a break? How was that for you?

Brendan Hannigan: Yeah, the answer is probably all of the above. I mean, it’s – there’s no question that it can be draining for a long period of time to just keep at it and at it and at it. And so I actually did take a break. I took some time off. I took probably about a year off where I was just trying to figure out what I do next. And I’m always cautious to say, oh, my God, it’s so exhausting. Because you’ve heard me say this when I’m walking around the corridors – we’re not coal miners.

Marc van Zadelhoff: Yes.

Brendan Hannigan: It’s a software business. Like, even a bad day in the software business – it’s pretty fine.

Marc van Zadelhoff: Yeah.

Brendan Hannigan: It’s not terrible at all. But having said that, there’s no question. There’s anxieties. There’s pressures. And it’s good to take a break. Especially when it’s been a long run, you don’t get a break. When you’re building a business, you’re building the business. And then, you know, everybody gets – you know, it’s exciting. You’re acquired. And then you’ve got this couple-of-week break where you’re waiting for approvals, which everybody should go on vacation or something because it’s a great time to take vacation. But now you’re into integration, and then we had to build this big division. It was exhausting. So I needed that time, actually, and that time was great. It was phenomenal, and you just really needed to decompress. It’s very rewarding, but it is exhausting, and you need to take those time at the right moments.

Marc van Zadelhoff: Let me ask you one question before we go to your next chapter. When I work with you, I always admired – you seem to have – I’ve had the pleasure of meeting your family several times. You seem to always have had a really good balance with work and home. How did you do that – any tips on that for people that are in these types of roles?

Brendan Hannigan: I actually have this little – this tip, especially for executives who have young children. I always say, you can have an amazing career, and you can have an amazing family life, and you can have your amazing hobbies that you’re interested in. Pick two of the three, especially when you have young kids. If you try to pick three of the three, it’s just going to get pretty hard. If you’re going to really, really go all in on a business endeavor and you also want to have a sane life with your family, well, then, you have to prioritize that. And so that’s number one. So that’s it. You just can’t do it all at life. There will be times to do it all.

Marc van Zadelhoff: No weekends away with the buddies, no 36 holes of golf a week – that’s what you’re saying. I remember you told me this, and I love that advice because when I met you, I had – my kids are still pretty young, but they were even younger. So it was – I listened to that.

Brendan Hannigan: Especially when you’ve young kids, when they’re young. And then, actually in the end, I feel the same is true now when we’re hiring employees. I go, look; we’re intense. We should be intense. We should care. But we should care that our employees have a life, ‘cause if they don’t, they won’t stay. And you want – we want our teams – the fun part of building these businesses is – a big part of it isn’t just, like, a technology accomplishment and some score on a board. It is actually really rewarding when you can see that people’s careers accelerate because of the endeavor. And it’s fun. And the way that happens is they have balance, and they stay with you because they have that balance. And I think it’s really important. And it’s important for us personally, and it’s important for our teams.

Marc van Zadelhoff: Would you agree that that dialogue seems to be more in the forefront of our society these days than before the pandemic? I feel like that whole opinion has gotten more sunlight now.

Brendan Hannigan: Yeah, I think it is. And I think what we have to be careful of is that it doesn’t turn into something that goes further than that, which is that basically work is somehow not work. Work is work. There’s times you just got to get the work done. But that – so the answer is yes, I think it is. That’s always the way you and I have always worked, and it’s the way we should all work. And then we have to be always – I always am reminding everybody, this is work. We’re here. We enjoy our work, but it is work.

Marc van Zadelhoff: So you took a year break, and eventually you joined Polaris. And today you’re the CEO of a – obviously, of a security company. Just maybe before we go into those two particular aspects of this chapter of your life, you stayed in cybersecurity, and I thought I’d just pause on, you know, what does cybersecurity mean to you? You must like it. Why do you like it? Why is cybersecurity motivating? Why not go into a different segment of the market? You stay at it.

Brendan Hannigan: Yeah because I think it’s – it is actually. I always say I always want to work on – we always want to work on things which are just intellectually interesting and pose interesting problems. And now one thing I would do, and I always suggest to people when they’re in a particular segment, it’s great to have a skill set. It’s great to be part of a hit movie maybe, or whatever you call it, and then maybe do a sequel, but you don’t want to be on the 13th version of it. And so sometimes people stay really focused. So I’m in cyber, but actually everything has been really different, right? We built Q1 Labs in the security intelligence space, ran a diverse large business across many – 13 different product segments, if I remember, and – which became a $2 billion business. And now I’m actually very focused on cloud security. I was chairman and invested in a container security. They’re actually really very different, but they’re related to cybersecurity.

Brendan Hannigan: So I actually think there’s just many different zones that we can go after. There’s always – why do I do it? I think it’s intellectually curious. There’s benefits to leveraging the network you have. It’s what we know you can give more quickly when you know an area and a segment. And so that’s one of the reasons why I say. And there’s just an awful lot of work to be done. I mean, seriously, have we got a lot of work to do? Like, we all have to wake up in the morning and look in the mirror and say, yeah, we got a lot of work to do here.

Marc van Zadelhoff: Or look at the news. I would agree. I spent a year and a half outside of cybersecurity and immediately came back when I had the opportunity into my current role. So I missed it. And I think it’s a – it’s beyond a job. It’s a – it’s kind of a passion and a mission. So you were at Polaris. Maybe – I’d love to hear a bit about Polaris. And I really want to get into Sonrai and what you guys are doing there because it’s really cool.

Brendan Hannigan: Polaris is actually a great firm. And this is all – you know, as time goes on, you get to realize you can – you want to work on things which are interesting to you and you want to work with people that are just great people. And so I’ve worked in different capacities with Polaris all the way back, you know, to the early 2000s actually. And so, you know, I know one of the managing partners and the rest of the team over there. I know Dave Barrett extremely well. And they’re just really good people, really good friends. We had this flexible role which allowed me both to help establish investing opportunities and then also to potentially build a company myself. And so that’s what I worked with them on.

Brendan Hannigan: And the first thing actually was investing and then I became chairman of Twistlock in container security, and I could have kept at that. But then, you know what? What happens is it was opportunity based as in you realize this whole cloud area, there’s just a lot of work to be done in cloud. That’s why I decided I wanted to just basically start another company in this area. We – you know, Marc, it’s basically that and then the availability of Sandy Bird, who was a founder of Q1 Labs. He became available, and that’s key, too, right? I mean, you want to basically say, OK, how do you actually go through these, you know, building a business? And you just – you want to go through people you like too and people who are really good. And Sandy’s amazing. And he has amazing people, which he knows. And we’ve built this amazing team up in Fredericton. So we started this business.

Brendan Hannigan: And I was on a couple of other boards, too. You know, I was on the board of Flashpoint and a great company, amazing people, just amazing, great team of people there, too. And so that’s the fun part of our business, but it is always fun to help. I love helping people. I had a really – really loved working with Ben, CEO of Twistlock, and the rest of his team at Twistlock, who were a phenomenal group of people. And it was just nice to be able to give my insights and help where needed. But you know what? It’s harder to go build a business yourself, but it is very rewarding. And so that’s why we ended up starting Sonrai.

Marc van Zadelhoff: You mentioned Sandy Bird is your co-founder and Sandy was also the founder of Q1 Labs. And I was going to say, when you mentioned his name, he’s a national treasure, but he’s an international treasure because he’s up in Canada. And so you guys got together. So tell us about Sonrai, what’s a problem you guys are solving, and how’s it going?

Brendan Hannigan: The business is going great actually, and everything has its – I always like to say, you know, we have some pedigree. So there are certain things where you can – there’s shortcuts, right? It’s – you know, we can hire a great team and you can raise money. But everything has its unique challenges. And there’s no question this space has a unique set of challenges associated with it and opportunities. But it’s an amazing space. I think it’s unbounded in terms of its potential size and scope. And the problem space at the highest level, as I like to describe it, is a huge transformation and it’s – a lot of the people listening, Marc, will be, you know, our compatriots in cybersecurity. I just can’t emphasize enough the transformation that has happened in how we build technology is monumental. It is totally different how we write software, operate it, design it. To think building data centers was kind of automated and we’d call up IT and the security teams and we would do things but now we can instrument infrastructure as code which automatically creates infrastructure in the cloud, bypassing every security control which every company has built up over the last 30 years. That’s just one example.

Brendan Hannigan: Serverless functions in the cloud – you know, we we talk about securing – people still talk about securing endpoints like that’s a thing. A serverless function lasts no more than 60 seconds on average, and yet it has a right to your data. Who the hell is securing that and who’s tracking that? So the reason we started is a realization that the cloud and digital transformation has fundamentally altered how we build technology. And if that’s true, we must fundamentally alter how we govern and secure it. And our company is at the center of that transformation. And for the customers we work with, that is the role we play. So we help our customers understand the risks in their cloud. We find any type of risk you could imagine, and we help them automatically eliminate it, and we monitor it to make sure it never comes back. That’s across Amazon, Google. And in the example in this world, you know, a company we talk about all the time – World Fuel Services. We have big, huge, large enterprise customers. That’s the great thing about our business. We’ve had success with some wonderful ones.

Brendan Hannigan: In World Fuel Services, the difference is we have an infrastructure team that deploys our product and helps set the rules to understand how to govern it from a risk and security perspective and what they want to monitor. But they have 40 app teams which actually are onboarded onto our platform because they’re the ones that have to go fix the problems. They’re the ones creating the problems. So it’s this mix. It’s a very different technology problem. It happens at a different rate and pace, and it’s involving different people in the technology. So that’s what we’re about. And it’s a special area. It’s fun. It’s complicated, though, but everything is.

Marc van Zadelhoff: From your perspective in that massive transformation, which I guess we would call kind of the whole shift-left movement, do you still think the CISO is the key target for you, the key power broker of this particular security angle? You know, for us at Devo, that’s still – you know, we still are aiming at CIO, CISO. Is – in the shift-left side of security that you’re in, is that still where you’re aiming?

Brendan Hannigan: So the answer is it depends. And that’s the complexity in a space like this. In certain companies, we have, and we will deal with. And you can never look at the logo or the vertical to understand how it’s going to look inside with cloud because it depends on how advanced are they, how big their cloud infrastructure has become and how sophisticated the CISO is. Many CISOs are grossly underestimating the extent of this change, and that’s all I can say. So they are grossly underestimating it.

Brendan Hannigan: There’s three types. There is the ones who grossly underestimate it. There are the ones who know that they’re extremely uncomfortable and they need to get a handle on it. They need to be involved and are forcing their way to get involved. And then the third type are extremely sophisticated ones who are really what I would call cloud-native CISOs. And I would say, I don’t know if it’s shift left, but in general, the CISO community – they got to shift somewhere because they got to figure this out quickly because right now, too many of them don’t understand it.

Brendan Hannigan: So to answer your question, the CISO is important in many instances, but our team actually has to navigate to say, is the power with the CISO and the team, the security team? Or is the power heading in the direction – for example, in our world it could be the people running the cloud center of excellence, the cloud infrastructure team. We’re selling typically to commercial and large enterprises. The development team is a stakeholder, but typically the buyer is going to be an infrastructure team, and typically it will be the cloud center of excellence or the security teams.

Marc van Zadelhoff: Got it. OK. Very cool. We could spend a lot of time on Sonrai and the technology and everything. I want to take a step back. As you were getting to Sonrai, with all of your experiences, fresh sheet of paper with Sandy, did you bring a particular philosophy of how you wanted to run the business based on all the learnings from that career that we spent the last 30, 35 minutes talking about? Did you have, like, a set of rules or a set of philosophies? And if so, were you able to stick to them in any meaningful way? What is – is it – Mike Tyson says a plan is only good until you get punched in the face, right?

Brendan Hannigan: Exactly. And actually, I say that to our team all the time, about the space, because I was talking about our space being unbound. I go, look; when we get in the ring in the morning, please remember we’re in the heavyweight championship of the world. We’re not dealing with like, oh, some smaller little companies. We’re dealing with, like, obviously other great companies who see the size of this opportunity. And it is – they’re substantial players.

Brendan Hannigan: So here’s what I would say, Marc, is there’s certain philosophies and experience and wisdom we would hope to gain. I actually have some certain truths that I believe, which is, A, just to always have a great vision – big, audacious vision – really ambitious. That’s what I feel is important. It pushes you every day to basically not get too squirreled away in some narrow segment. You really are taking a step back. And that’s – I think that’s really important. That’s a philosophy. And the counter to that to everybody in our team is have a strategy. What’s our strategy for the year, for the week, for the quarter?

Brendan Hannigan: The second thing is just hire great people. And great people – it seems so obvious. The great people are people who have amazing intelligence and experience and also amazing culture and personality. And what we’re trying to avoid are really, really high-performing [BLEEP] because it’s hard to get the team to perform if there’s people constantly hammering them down. You want people to be built up. And so you want high performers, but they have to be high performers who will bring people up. That’s the second thing.

Brendan Hannigan: Then the third thing is related, and it can be a bit relentless at times, which is just basically – just brutal honesty all the time. And just be honest with each other. Just always challenge yourself. And it’s hard sometimes. You just – you have this beautiful thing, this beautiful idea. And then you realize it just ain’t working. It was a terrible idea. You thought it was a good idea, but it was just a terrible idea. So people should be comfortable telling me that. And I have to be – have a team that I’m comfortable telling them that.

Brendan Hannigan: The philosophy is simple, is – if you have an amazing idea, strategy, and you’ve got a great team and you know where you are, you will get there. And, by the way, you’ll have some fun along the way because you’ve got good people, and you’re having fun. At any point in time, you may think, yeah, things aren’t working exactly the way we’d like, but it’s OK. At least we know they’re not working the way we like, and you got to go fix them. So anyway, those are some of the philosophies that I bring. You know, each one of these is different. There’s no question they’re all different, and they’re always little messy. And you just got to keep, you know, sort of building uniquely for the situation. But ultimately, if you’re in the right marketplace, these are great.

Marc van Zadelhoff: Cool, Brendan. Well, I will grade myself along those three philosophies after we wrap up and see how I’m doing because I think they’re really wise tenants to building a great business. So I think that’s probably a really good note for us to close out on. I really appreciate you being here, Brendan. Thank you so much for joining us on «Cyber CEOs Decoded.»

Brendan Hannigan: Hey, it’s really nice, Marc. A pleasure as always.

Marc van Zadelhoff: Thank you to our audience for listening today. Be sure to join us for the next episode of «Cyber CEOs Decoded.»