Fred Kneip is the co-founder and CEO of CyberGRX which provides the most comprehensive third-party cyber risk management platform to cost-effectively identify, assess, mitigate and monitor an enterprise’s risk exposure across its entire partner ecosystem. The company has raised over $60M from top tier investors such as Bessemer Venture Partners, Google Ventures, Scale Venture Partners, AllegisCyber, Blackstone, Telstra Ventures, and Rally Ventures to name a few.
In this episode you will learn:
- How they pulled in all of these types of investors
- The three things you need to raise capital like this
- The toughest day you’ll face as an entrepreneur
- The two things Fred recommends to other entrepreneurs considering a startup
ACCESS THE PITCH DECK TEMPLATE
About Fred Kneip:
As Chief Executive Officer, Fred Kneip is responsible for the overall company direction of CyberGRX.
Prior to founding the company, Fred Kneip served in several senior management roles at Bridgewater Associates, including Head of Compliance and Head of Security.
Before that, Fred Kneip was an Associate Principal at McKinsey & Co., where Fred Kneip led the company’s Corporate Finance practice.
Fred Kneip has also worked as an investor with two later-stage private equity investment firms.
Fred Kneip holds a B.S.E from Princeton University and an M.B.A. from Columbia Business School.
Connect with Fred Kneip:
* * *
FULL TRANSCRIPTION OF THE INTERVIEW:
Alejandro: Alrighty. Hello everyone, and welcome to the DealMakers show. Today we have a founder that is going to share a lot with us about culture, cybersecurity, going from investment banking to leverage buyouts to going out and starting your own business, and raising money with just a PowerPoint — just an idea. So without further ado, let’s welcome our guest today. Fred Kneip, welcome to the show.
Fred Kneip: Thank you, Alejandro.
Alejandro: So originally raised and born in Brooklyn, New York. How was life growing up there?
Fred Kneip: I think it was great. Brooklyn was a fantastic time. My parents bought a house there in the 70s, and I still live in that same home today. I thought it was a wonderful experience. I got to experience the city. I did have a little bit of that, “How could anyone grow up anywhere else” mindset that I think most New Yorkers have. It was fun to be able to get out there and go to the Statue of Liberty, Empire State Building, etc. as we were growing up.
Alejandro: What a difference Brooklyn has experienced over the years because before, like not even a long time ago but like ten years ago, you could get a townhouse for like $300,000. And now, those go up to like two million.
Fred Kneip: Yeah. My father — I was pretty impressed. He worked as a lawyer on Wall Street. As he looked, “We could live in Connecticut, New Jersey, and elsewhere. Or I could commute for five minutes from Brooklyn.” That was pretty easy. But it was a different neighborhood back then. Much of mom and pop type stores and very friendly. Actually, a really good community. It’s evolved a bit. Now, you have hiring restaurants, art galleries, and a variety of other things on the block that I grew up on. But it’s still a neat community just over the bridge.
Alejandro: Then you went to boarding school. Obviously, in Europe, where I’m from and especially in the UK, for example, going to boarding school is a big thing. But here, New Yorkers — correct me if I’m wrong, but it’s not like the usual thing. So can you tell us what was the idea behind boarding school?
Fred Kneip: A lot of it came down to ideally, athletics. In Brooklyn, it was either playing basketball or squash, which we had a great facility. I ended up playing a fair about of squash. I am basically incompetent at basketball, so I took that off the stage there. My parents wanted me to get a chance to play a lot more sports, so I got out and went to a school in Connecticut and was able to play football, was able to play soccer, experimented with lacrosse, and a variety of others. It was a whole new world for me. It was wonderful to get out there.
Alejandro: One of the things that I also experienced from — it’s interesting because the way that you grow up and all the different experiences have shaped who you are and also the type of entrepreneur that you’re going to be, too. So especially for those that go and do boarding school, especially at a young age, they develop that sense of independence, and they’re really tough, especially mentally. How did that shape you?
Fred Kneip: I think it definitely helped. It teaches you more personal accountability at an early age in that it’s no longer mom or dad doing this for you. You have to get set up in your room or whatever it is at the school. I think that has definitely stayed with me, that element of I make my own decisions. I bear the consequences of my own decisions versus blaming others in that sense. So I think it’s an incredibly important component. And it’s a harder lesson. I wouldn’t say that every day was glorious. You learn things along the way, but then it makes it much better. And I will tell you, I had a much better college experience as a result of that because I went in having gone through the homesickness, or whatever you want to call it, in the couple of years in high school, and I was now much more comfortable as a young adult.
Alejandro: And the love for resolving problems for engineering, how did you come up with the idea of, “I’m going to go to Princeton and do engineering”?
Fred Kneip: Interestingly, I would say the solving problems; a lot comes from my mother. She’s an extraordinary resourceful woman. It was never, “That’s broken. Okay, let’s move on.” It was, “Let’s take it apart and figure out why it works.” So early on, when I was maybe ten years old, I would sit down with her and rewire a lamp or reupholster a chair. My parents put the flooring in on their house in Brooklyn, having no idea how to do it, and there was no internet back then to do so.
Alejandro: No YouTube or Cloud.
Fred Kneip: I’m sure there are still some issues that remain from that. It was a matter of figuring things out and understanding how they work. I love that, even to this day. My son bought something the other day that was a cheap buzzer tool from China. He dropped it once, and sure enough, it broke. So he and I took it apart and figured out, “Here’s how this broke and separated.” It’s more fun to do it that way. That led to an engineering, problem-solving mindset. I was attracted to those types of subjects.
Alejandro: So why do you think that perhaps there are going to be some interesting problems to resolve in investment banking? That’s the direction that you took after graduating.
Fred Kneip: Yeah, it was interesting. It was a bit of a financial modeling. My undergrad at Princeton was called Engineering in Management Systems, which was focused on the intersection between engineering, problem-solving, optimization approaches, and microeconomics. So how do you optimize financial deployments and such? A lot of what I did, I rebuilt practically the M&A model that Merrill Lynch used for bank mergers. It was fun to build that out. I was one of those nerdy guys who loved excel early on, and I was able to build a lot. That was exciting for me, modeling out what you could do financially. What would happen if this bank bought this bank? What would happen if you did this investiture of some of that sort? That was quite interesting.
Alejandro: In investment banking, you get to see the numbers of companies, great performers, really bad performers, companies that have potential, companies that don’t. Any highlights or insights that you got from this experience?
Fred Kneip: Nothing earth-shattering in that sense. It was remarkable how EPS and quarterly-focused companies were and making decisions that behind closed doors, we would have conversation with a CEO and say, “Look. This isn’t the right strategic thing for the company, but I can’t miss earnings this quarter,” and things like that. That was telling for me like, “Wow. That doesn’t sound good.” But I won’t pretend to have nearly enough experience or exposure to be able to pass full judgment on those situations. That actually drove me to look at what can you do in the private markets a bit.? Then the next step I took there into the leverage finance world and LBOs and such was part of that.
Alejandro: Why did you leave Merrill Lynch and then go at it with leveraged buyouts? What caught your eye and the interest on that?
Fred Kneip: The company I joined right after Merrill was a company call Holberg Industries, a holding company. While not a typical LBO firm, it basically had two portfolio companies that were growing through highly-financed acquisition strategies. One was a foodservice distribution company, and one was a parking facility’s operator. Not the most sexy industries, but man, incredible opportunities there to build economies to scale. That was attractive to me was that element of going and building a company and taking a variety of small organizations in building something bigger and more impactful as a result of that. And the opportunity at a small firm like Holberg was I was hands-on traveling the country with the CEO there and working through that strategy with him.
Alejandro: That’s really interesting. The rollups, for example, that you were also exposed to at this time, like when you get to have some cash, and then you buy a bunch of people, then you unite that into one. That’s a very interesting way rather than starting from scratch. So what did you learn from seeing this type of strategy?
Fred Kneip: One of the things that was interesting, and if you have time to look up some of these, one of the bigger companies we had from Holberg, a company called AmeriServe, was a spectacular bankruptcy. It was an interesting learning through that. It was a 10-billion-revenue company. This was not a small organization. One of the things I realized through that was if you have an aggressive integration strategy or these innovative concepts, nothing ever goes fully according to plan, and you need to be well-capitalized in ability to absorb those disruptions along the way. Otherwise, you could be subjected to, unfortunately, the bankruptcy-like AmeriServe, where they ended up selling the assets for pennies on the dollar. If they had been fully capitalized and had the cash to ride through that bump in the integration, it could still be a highly profitable company today. That was a very telling lesson. It has actually influenced how I’ve raised capital at CyberGRX today in just raising ahead of need just to make sure that we have that capacity to survive through bumps or unpredictable components that might come up.
Alejandro: We’ll touch on that in just a little bit. After all of this experience between the leverage roll-up strategies, and the rich buyouts, and so forth, you decide to do the MBA. This is like your bridge towards a change of strategy or a change of perspective on your professional path, and you join McKinsey, and you were there for seven years. Now, one of the things that I keep coming across on entrepreneurs that I meet, entrepreneurs that also come on the show is that when they do consulting, they really get a good feel and a good grasp on how to grab big problems and break them down into small problems and tackling those at that point. What have you learned from doing that, and what is the real value that a firm like McKinsey can bring you as you’re thinking about tackling your entrepreneurial journey?
Fred Kneip: I think you’ve captured a bit of it right there. My decision to go back to business school stems from I was now put in a position to help dictate the strategy for these organizations, and quickly realized I didn’t know what I was doing. I was literally reading a research report and said, “This is what Goldman Sachs says we should be doing.” That seemed like a terrible approach to strategy. So I went back to business school, and what I got from that was a great conceptual understanding, like Porter’s Five Forces type concepts. “Okay. This is how you can frame it up.” That was the first time I had even heard of half of that stuff. I come from a very technical modeling background from a banking world, and I was, “Let me understand. This is how you think about building a sustainable, competitive advantage, etc.” Going to McKinsey was an opportunity to them take that concept or that theory and try to put into practice and say, “I’m going to work with a company to help develop a new product line, or help a company think through a rationalization of a certain cost savings, or whatever it happens to be. It was an incredible opportunity to see that concept doesn’t always stand up in the face of reality that you need to work and, “Here are the nuances and different components.” The tools at a place like McKinsey or Bain, BCG, you name it will provide you are fantastic structured problem-solving approaches that help distill problems down to, exactly as you said, manageable pieces. You’ll have a decision-tree type or a hypothesis trees. “Let me lay out all the facts here. Now, let me put these together. What happens if this goes here? What are the key dependencies?” And unpacking and looking at it from that perspective. One makes it easier to understand, but two makes it easier to explain. That’s one of the key things that McKinsey is very good at is helping simplify complex problems and explaining them to a board or an executive team. “Here’s why this problem looks like this. Here’s why you need to go this direction.” In many cases, the answer then becomes obvious when you strip away all the unnecessary components and say, “These are the key factors that are driving them.”
Alejandro: One thing, Fred, here, that comes to mind and especially given the fact that we have all these entrepreneurs that are probably listening right now, I think it would be interesting — maybe you can walk us through an example of how you go about resolving a specific problem. If we can just make up whatever problem, how would you go about tackling it?
Fred Kneip: The key is, and I would say diagnosing or breaking down, what are the factors that are driving a certain circumstance? So if you have a problem or you have an issue, or you have a market you want to enter, what drives behavior? What drives this? What’s causing this problem? Too many people just try and solve the symptoms and say, “We’ll put a band-aid on this,” or whatever it is. Or “We’ll go left instead of right.” But instead, what’s that root cause? Why is that actually happening? What is driving that behavior? What will actually drive future behaviors? So I can apply it in CyberGRX as we look at why are people continuing to move forward doing an assessment of companies with an antiquated spreadsheet? That makes no sense. But it’s something that’s been established in the company, and it’s “safe.” This is a risk practitioner that may not want to take a risk. So it’s safe, even though they know it’s not the best path, it’s safe in that it doesn’t expose them. “How do we address that problem?” Not, “We’re going to go out and market more heavily,” or some of that sort. Or “It’s hard to use.” It’s taking your time to unpack that and distilling it down. When we talk later, I’ll mention some of the stuff that I did at Bridgewater that was really powerful with this to take problems down to their root cause, and then you can build up more sustainable and impactful solutions.
Alejandro: That’s interesting. Why don’t we shift gears here, and let’s talk about the most immediate step or the most immediate phase right before you started the business, and that is Bridgewater? Bridgewater, obviously, Ray Dalio, with his book, Principles, and everything that he’s talked about like the culture of Bridgewater. Can you tell us a bit about this culture? Why is it so unique? Why is it so different? Why is everyone talking about it? Why is this?
Fred Kneip: Bridgewater’s culture was fascinating to me. My experience at McKinsey, one of the things that also stood out to me is I never saw a management team that I was like, “Wow! That’s fantastic. They work perfectly together.” The human element always made its way in, in some way: a level of distrust, a level of talking behind each other’s backs, or whatever it might be. There is one power company that I worked for where literally after each meeting, the CFO would call me, the CEO would call the partner I was working with and the Head of Strategy would call the associate I was working with, and all complained about, “Can you believe she said that? Can you believe he said this.” This was a Fortune 100 company. I said, “Wow. This is dysfunctional. This can’t work, and I don’t want to be a part of that longer-term. What was appealing to me at Bridgewater was the radical transparency concept of there is no talking behind your back. Everything is out there. Meetings are recorded and shared, etc. That concept made a ton of sense. So what Ray built is founded on the concept of you just go to put it all out there. Anything you hold back is going to fester and continue to grow, and it will be unaddressed, so you’ve got to put it all out there and be open about it. I think that was really compelling to me. It’s uncomfortable, and it forces conversations that not everyone is ready to have, but it also enables you to feel confident and walk in like, “I know what’s going on. I know what they think. I know exactly here. I’m not worried about what happened.” You walk into a room, and the conversation stops, like, “Okay. That’s not good.” That didn’t happen at Bridgewater. It was more, “We were recording this, but now you’re here, so I’m going to tell you what’s going on,” or whatever it is. That was extraordinarily appealing to me. Ray’s vision there, and it’s probably not fair for me to share it, but it’s interesting. I share because I’m not quite qualified to say, but what Ray has done with Bridgewater, which is amazing is they’ve effectively systematized markets. Everyone has said it’s impossible to do so, too much variance, too much going on, too much complexity. There’s no way you could actually systematize the way markets operate. The Bridgewater approach built over some 40 years was to basically decompose every component of a key metric or commodity or whatever it is and say, “The price of gold. What actually drives the price of gold? What drives each of those drivers? Then what drives each of those drivers?” If you effectively keep going down until you can’t go any further, you can build a model that will then build that up. Where the Bridgewater team spends all their time and energy saying, “What are the multiplying factors to say its demand for electronics because it’s on circuit boards? Or it’s demand for jewelry or these things. And each of those is driven by these 14 things.” I think Bridgewater gets something like 10 million inputs every day that then feed up to this model that synthesize out, here’s a GDPS. You refine that over years, and you actually can systematize markets. They backdate their models for 200 years and say, “Have we adequately predicted every kind of war, every issue that could happen, every downturn, every recession?” Then say, “Okay, yes. The predictive capacity of this tool will work.” So with that, I would say closer to success, Ray has moved to say, “What’s another completely unpredictable, unable to manage area?” And that’s people. So how do I build some level of systemization around the way people make decisions? How do you build guardrails or rules to operate by that can try and eliminate some of the inconsistencies and such that might come from emotional impact and such? So if you look at the way Ray wrote out in the Principles, a lot of that is about letting logic win the day over an emotional response to something. It’s hard. Human beings are emotional. I wouldn’t say it’s perfectly executed, and I think Bridgewater’s growing on that front, but conceptually, it’s interesting, and it does allow better discipline than forcing and saying, “Hold on. Why am I concerned about this? Why am I not having this conversation? Why are we holding back on this?” and trying to unpack the key drivers behind each decision you make to get better at them and to identify some of your own weaknesses.
Alejandro: Talking about decisions, the other day I was seeing how, for example, whenever they have brainstorming sessions, or they have meetings, they’re able to rank each one of the opinions, and then everyone has access to the data, and you’re able to see where things are heading. Is that right?
Fred Kneip: That’s correct. It goes to the whole transparency. It’s been several years since I’ve been there, so there are new tools that are evolving well beyond since I was there. But at that time, a lot of stuff — we’d need to go into full Bridgewater discussion here, but there are components around who has a proven track record at different components; better or worse at making decisions in this context? Then, what do they think? Then you can use that to effectively score against, “Fred said this, but he’s medium-likelihood. Greg said this, but he’s a higher probability. So let’s overweight that in a way of calibrating the different ideas or responses.” It’s an interesting approach. I’m not trying to fully agree with all of it to be honest, but I do think what Ray is trying to do there is buildout, particularly leveraging technology now, as much as possible to truly systematize and optimize decision-making output from people.
Alejandro: Got it. And this was, obviously, an important experience for you. This was your real introduction to cybersecurity. Is that right?
Fred Kneip: It was. I always call it MBA+. It was, take everything you’ve learned about how to operate a business and take it to a whole different level.
Fred Kneip: I shared with one of my colleagues who I work with there. He categorized it really well. He basically said, “I’m glad I went; I’m glad I left.” I share that same opinion. It was an extraordinarily powerful couple of years for me there, and I learned to think introspectively about how I address issues, how I operate. That has yielded confidence in its own way. Being okay with and aware of your own weaknesses is actually confidence-building because you can say, “Okay. That’s all right. I need to get help on this. That’s okay. I’m good at these things.” Having that confidence was a powerful component. It also taught me that the benefits of that level of transparency and having those open conversations. It impacted components with my family even where there was something with my brother that I never brought up before that I discussed with him or things like that. I think it really helped. I’ve pulled a lot of those cultural elements into what we’re trying to build here at CyberGRX. I’m very thankful for the time I had there. I learned a lot about myself, learned a lot about how to manage a company. I also felt my time was up there, and I was ready to move on to something new.
Alejandro: Before we shift gears here, and we talk about how you incubated your idea with CyberGRX, I’d like to know, what was your biggest learning about yourself?
Fred Kneip: That’s a great question. My biggest learning about myself is I was afraid to say the words, “I don’t know.” When I was at McKinsey, it was something like where someone’s paying McKinsey a million dollars a month to come work on some strategy, and I’m sitting there saying, “How can I possibly look this CEO in the face and say, “I don’t know what you’re talking about. Why would he be paying for that?” So I fudged it. I would nod and work my way around it. Unfortunately, what that did was, I wasn’t able to engage in the conversation to the depth that I wanted to or that I was able to because I was keeping on the periphery just trying not to be exposed to the fact that I didn’t know what was going on. The other is, I didn’t learn about stuff. So I didn’t grow, and least, lesser work. One of the things that Bridgewater pushes firmly is there are times like, “You know what? I don’t know. I didn’t know anything about that. It’s okay.” It’s remarkable how powerful that small phrase is that I spent the majority of my career never saying has been. In the cybersecurity space, which I arguably have a more shallow background than a lot of some of the entrepreneurs in the cybersecurity space, I’m constantly talking to them and saying, “You know what? I’m not sure about that. That’s an area I’m not familiar with. But let me understand a bit more from you so I can engage in a thoughtful way and actually supply some input.” I can’t emphasize enough how powerful it is to truly admit, “I’m not sure, but I want to learn more.”
Alejandro: Yeah. 100%. CyberGRX, why don’t we talk about what was the process of bringing this to life? Obviously, after the experience of Bridgewater, that catapulted you into taking the leap of faith and making it on your own.
Fred Kneip: At Bridgewater, I came in as a manager from my McKinsey background. The approach that Bridgewater takes is that you may not find in a single person what’s necessary to run a department. You need subject matter expertise as well as management experience or capability. Where I came in as my first job at Bridgewater was I co-ran the compliance team with a woman who had an extraordinary background, a great depth of understanding, a former SCC prosecutor. She and I built out the strategy, and I learned about compliance through that process and was able to represent it and share that with our management committee. That went well, and I was then asked to lead the security team, and I ran that for about three years, having never dealt with security before that. And I ran staff, physical, and cybersecurity for Bridgewater. That was my introduction to cybersecurity, which was our area of focus. Bridgewater built a pretty robust staff and security programs, but cyber was still growing and dove head-first in understanding that. One of the things we dealt with there was the constantly expanding ecosystem of vendors or suppliers that we worked with our analytics team. “We want to use this new AI tool. We want to use this, etc.” But that’s sending sensitive data each time, and we had no capacity to go and evaluate the security risk of some new startup or whatever it was. So we just took a couple of calculated bets actually. When I left Bridgewater, that was an experience that I had. I was introduced to a guy named Jay Leek who, at the time, was the CSO of the Chief Information Security Officer at Blackstone. Jay’s role was to secure Blackstone, but then also ensure there was an appropriate level of security at all Blackstone Investment or Portfolio companies. He’d helped place the Chief Information Security Officers at many of their larger investments, etc. He held a quarterly forum where he engaged with them about issues going on, problems they could address collaboratively. One common issue that kept coming up was, they were also unable to keep pace with the exploding number of third parties that all their businesses, albeit in retail or healthcare or infrastructure, whatever it was, everyone was using more and more third parties, vendors, suppliers, you name it. The security teams were feeling exposed. They were not able to do adequate levels of assessments. They had no idea what was implemented in the network, etc. Jay looked at that and said, “Okay. There’s no way all you guys can achieve scale individually, but why not together. Let me run a quick test.” He looked, and he asked — I think it was 100 companies. Of that, maybe 90 of them were using ADP for payroll. Of those 90, about 50 were literally sending a team to evaluate or assess ADP once a year at a cost of several thousand dollars each. To do that is like, “This is insane. Why don’t we do a single assessment at the Blackstone level, and I will then share that data with all of Blackstone portfolio companies: massive cost savings, highly and much more efficient for ADP, so teams make sense. That was germinating in his head at the time, and he and I were connected. He mentioned it to me, and that’s where the seed for or the beginning of CyberGRX came from.
Alejandro: What happened next?
Fred Kneip: He and I looked at it and said, “This is a great concept. Why isn’t it out there yet? Why aren’t other people doing this?” So we did a bit of investigation and looked at some other concept or products that were out there. There were some kinds of standard assessment templates. There were certifications you could get. But none of them had ever achieved a level of clear adoption. So we met with the people who had helped found or design a lot of these different programs. Part of this — going back to that diagnosis element, “It’s okay. There’s a problem here. These haven’t taken off. I want to spend my time to truly understand before repeating the same mistakes that others might have made.” We identified a variety of components ranging from people don’t want a certification; they want to be able to dig in and understand the data behind it — to, if you put all the burden of certification on a small company that can barely afford it, that doesn’t work, and they’ll resist it particularly only if it works for a portion of their customers. So you need to think about how do you share that cost more equitably or some of that sort. So, a variety of takeaways that we were able to use the design-side of GRX. One of the key things that came was people were looking for broader adoption or marque-level adoption to give them confidence that it was the right decision. They weren’t taking a risk that would get them in trouble or potentially expose them. What we did is, we then went out and built a group of what we called design partners up front who were going to help us design and build out what CyberGRX’s assessment and methodology for evaluating a third party would be. Jay was instrumental in creating introductions and helping bring onboard. These were companies like Aetna and MassMutual and ADP, Blackstone, Bloomberg, and a few others. That is that consortium group that got CyberGRX off the ground.
Alejandro: What ended up being the business model, Fred?
Fred Kneip: The business model is pretty straight forward. It’s: we do a single assessment of a company. I picked on ADP earlier — we’ll go do a cyber risk assessment of ADP in granular detail to understand the inner workings of their whole cyber program. It’s a survey-based approach. It’s not deploying a technology, which most [0:32:04] are not comfortable with allowing something to go into their environment. This was working with them to truly understand what’s there. We have a partnership with a leading consulting firm to help us with the validation of those responses. So, “You told us you have this phishing policy. Show us a copy of the policy, and show us how it’s being implemented.” Then that data resides in our exchange, and it can be shared multiple times. ADP was assessed 5,000 times last year. I’ll repeat that: 5,000 times that people sent them an Excel questionnaire and said, “Tell me about your security program.” With our program now, that can be answered once and can be shared with all those companies. So it’s in their benefit, as well. Our business models, we charge for the subscription or the consumption of that information. We charge our customers who are typically Fortune 1000, a couple of Fortune 10, and even companies who are now using CyberGRX to manage their third-party ecosystem, which can number in the tens of thousands. And they’ll use our platform to gain access to data around those companies. So they can think about an individual company or a portfolio of companies basis, “What risk exists, and how do I use that to inform my business decision for this company?”
Alejandro: Very cool, and you have to be one of the few people that I know that has raised 9 million bucks with just a PowerPoint presentation. How did you do this, Fred?
Fred Kneip: It was a compelling story. If you think about what a venture capitalist is looking to fund, you want to know is there an established — I think it’s maybe three things. It’s established pain. Is this a real problem? And you have product/market fit in that sense. There’s a real problem, and you’ve diagnosed it appropriately. So the pain was just resounding. No one liked filling these things out. No one liked receiving and reviewing them. So the market was right for some kind of disruption there. With our design partners, we had that product/market fit box checked if you will. The second is you’re looking at total market size. The market was huge. People were spending millions of dollars on this. There are some banks that were spending 20 or 30 million dollars on this alone on their internal teams. So it was huge and growing aggressively. Any of the estimates we saw were 20-plus percent growth and in the billions of dollars for total spend — a completely fragmented market. So the market opportunity was huge. The only other thing we had to show was to demonstrate the ability to execute. That was a bit of a bet on me, and then with someone like Jay on board — then I was able to bring in a couple of colleagues who had these fantastic backgrounds. So when you think about that, those should scratch the majority of the itch for a venture capitalist. You’ve got the market size established. You’ve demonstrated the pain and the opportunity to meet the market need. Then you had the team to execute against it. And then people were willing to take a bet. We got a great consortium of early investors to come in and allow us to start building the company.
Alejandro: That’s amazing because how much capital have you guys raised to date, Fred?
Fred Kneip: We’ve raised about 59 million so far to date.
Alejandro: Obviously, in different rounds. I see A, B, C, and even a venture round. Can you walk us through the different expectations from round to round?
Fred Kneip: Sure. We’re atypical. Typically, a company starts off with seed round of some kind where you’re starting to test it out, get early customers. You help show that product/market fit or early view. Ours was more of a “This opportunity is right here in front of us. We want to jump on it. We’re going to fund aggressively to go after it quickly.” Our A investors were taking more of a seed perspective. They were saying, “I’m going to take a bet on this. It looks like a great opportunity, and let’s run.” Our A Round was led by several of the leading cyber investment firms like Ten Eleven Ventures, or AllegisCyber, and companies like that. Then we had a lot of strategic investors who the pain was so great for them, they were willing to take a bet to see what we can do. Blackstone invested. Google Ventures invested. Bloomberg Beta, Aetna Ventures, MassMutual Ventures, etc. all because they would be direct beneficiaries of this product. So it was worth it for them to take that calculated bet. Once we had built out our assessment program and said, “Here’s how we’re going to do assessment, here’s how we’re going to interpret the data, and here’s what a platform will begin to look like. Then we were able to bring in someone like Bessemer Venture Partners who was much more ready to go with they said, “This makes a ton of sense to me. You guys are starting to put the meat on the bones. That’s where we can add a ton of value.” They’ve been a great partner in helping take it from “This seems like it’s wobbling along and seeming to work” to “Now it’s a built out and stable concept.” That was our Series B. The as we moved into our Series C, we were able to bring in a company like Scale Venture Partners who — their name indicating their focus is, “You’ve got something that’s starting to take off. We have the methodologies and capabilities to help you scale and build that out efficiently.” They are very metrics and experience-driven with an incredible amount of data to say, “If you’re thinking about entering into these different regions, approach us to do so. Here’s how you should be spending. Here’s how you allocate your capital most efficiently based on what we’ve seen from the portfolio we worked with.
Alejandro: That’s amazing. And the journey, as we all know, is not a straight line. Obviously, you guys had some bumpy phases, yourself as an entrepreneur, and I understand that one of those had to do with getting a bit ahead of yourselves when growing the team. So tell us about this experience.
Fred Kneip: One of the things as an entrepreneur, which is invigorating, but it can be dangerous is, you sit there every day dealing with this problem, it’s the most important thing in the world to you. You think it’s going to be just the best. How can anyone not want to wake up every morning thinking about third-party cyber risk? So when we started to build out the early offering, my and the team’s expectation is, “Man! Everyone is going to love this. We’re going to have to bolt the door to keep out all the demand.” So we stepped up to get ready for that. We brought our way our first early customers, and we’d gone out to the market. We were ready to go. Got a team ready to complete the assessments. We had a whole customer success team — everything all built up and ready to go. Interestingly, not everyone wakes up excited about third-party cyber risk. We did have a bit of our work cut out for us to generate the demand that we’d expected. It was slower than we thought. Unfortunately, when you’re burning through capital every day, carrying that big of a team, it was unfortunately not something we could do because we didn’t have the demand to support it. So while we went out and hired people within a six-month period, we, unfortunately, had to have a layoff. We had to cut back on about 15% to 20% of our workforce because we were too far ahead of where we needed to be at that time. I tell you, that’s one of the worst experiences that you can go through. You’ve asked people to come and trust you on your vision and where you’re going, and then six months later, say, “I’m sorry. I got ahead of myself. It’s not going to work right now.” That was hard. It probably was the worst day that we’ve had as a company, and I, personally, have had in this company.
Alejandro: I can imagine. So who do you think you needed to be at that moment in time in order to be an effective leader?
Fred Kneip: I think you need to be definitive. I can look back on some of the different career steps I’ve taken and things like Bridgewater, and not hiding from the truth, and not being afraid to have that difficult conversation. It’s the right thing. It was the right thing. We could have tried to fumble along, but we had people that literally had nothing to do because their job wasn’t there, and we didn’t have the demand to fulfill. So it was the right thing for them. It was the right thing for the company. Just having that conversation and being honest and direct about that, I think, helped. Interestingly, I’ve stayed in touch with many of the people who left through that process and have good relationships with them today. I think a lot of that came from the transparency and the honesty in saying, “Look, here’s our situation. There’s not much I can do here, and this is what is necessary for the company.” I can’t tell you that people weren’t upset that day, but over time, I think there’s an appreciation and understanding for that. So from a leadership standpoint, it’s not trying to mask it, not trying to defer responsibility or blame. You own it. You made that call. You made a mistake, and you’ve got to move forward with it. Hopefully, that leads to a better appreciation long-term.
Alejandro: Yeah. The facts are always going to be the facts. What matters is how you deliver them. It is what it is. So Fred, for you, as you’re leading here and watching the space, where do you think the cybersecurity space is evolving as a whole?
Fred Kneip: It’s evolving in multiple directions. You are getting so much greater focus on cybersecurity because everything is interconnected. Everything is being recorded. There are few people out there who truly appreciate the profiles that are being built on them, the data that’s available on them from every company and such others. You’ve seen a lot more regulatory requirements that are going to be interesting. All that drives up an increased interest in managing your security increased requirements to do so, and I wouldn’t be sharing new news, but the deficiencies or the lack of available cyber talent is dumbfounding and will continue to grow in terms of — I think in the U.S. alone, there are somewhere between a half a million and a million empty cybersecurity roles today. That’s only going to grow. That’s just the U.S. Global just gets bigger and bigger. That’s a problem. That’s what a lot of these startups are trying to solve. If you look at the underlying things, they’re trying to figure out how do you allow people to be more efficient, do more with less, or create more AI-driven automation type components what were previously manual processes? Even CyberGRX, what we’re doing is, it used to be a manual process where a human being has to send out an Excel file and then wait for another human being to fill it out and send it back to them and talk through, and then digest it. Imagine doing that for 1,000 companies. We can take that all away in terms of our platform. Now, a single person can do ten or more times the work. That’s the type of stuff you’re going to see in the cyber industry as it gets more and more pervasive in terms of conversations out there. The other scary thing about this is the threat is constantly evolving and growing. Every control we put in place, someone is figuring out a way around that next one, and you have to constantly stay ahead of it. It’s a dynamic and growing market. The things that were “safe” years or even months ago are now, “Now there’s a new attack for that. Now there’s a new way to address that.” This is going to be a huge forefront. Advice to anyone who’s thinking about a career choice is, cybersecurity is hands-down probably the best job security that I can think of for the next 20+ years in building and understanding that level of credibility, and then potential opportunities to build and develop your own company around that.
Alejandro: That’s amazing, Fred. One of the questions I always ask the guests that come to the show is, knowing what you know now, Fred — it’s been quite a ride. So knowing what you know now if you were to go back in time during the days of Bridgewater where you were maybe thinking about launching a business and what that would look like and how to do it, if you had the opportunity to speak to that younger self, what would be that one piece of advice before launching a business that you would give to your younger self and why, knowing what you know now?
Fred Kneip: I’m going to answer your question in two ways. One is if I look back on career decisions that I’ve made, I, until recently, have been very safe — established companies, well-respected brands. I would have guided myself to take more risks. Go do an international posting. Go work for a startup. There’s incredible value that I got out of working for places like McKinsey and Bridgewater in terms of learning. There’s also incredible learning that comes from, “Okay, we’re not going to make payroll in three weeks. What are we going to do?” And really thinking through about those tangible problems and being a part of that, particularly before you have a family and kids and such. I wish I’d spent more time taking more risks, doing more things like that at a younger age. That being said, a lot of my experiences have led to what I’m able to do today and given me that foundation of some of those experiences in talking to CEOs and such through a McKinsey standpoint in understanding how they think has been helpful. Going into CyberGRX, I believed a bit of our own Kool-Aid if you will in, “Oh, this is going to be easy to build this. We’ll have this up and have 100 customers by the end of the year.” I think there was an element of focusing a bit more on knowing what you don’t know and planning for those eventualities or issues that you have not forecasted. I’ve been lucky enough to have availability of capital to build out a cushion that guides us through or allows us to make the right decision for the business and whether issues or things that might come up at a little bit greater dilution, but at the same time, it actually gives much greater confidence and ability for us to stick to the vision and the strategy that we’re on. That is something I learned through the journey early on like, “We’ll raise a Series A, and we’re done.” When I look back on that, it’s almost comical.
Alejandro: Especially for the folks that are thinking about their own financing efforts, if I had to ask, what are your thoughts on either raising what you need or raising all that you can get, what would be your answer to that?
Fred Kneip: It’s probably in-between. One is that part of a job as a CEO is you’re effectively always fundraising even when you’re not. It’s important to keep relationships out there to make sure people are aware of who you are. So even if you just completed a round it is, continue to build those long-term relationships so that when you actually do need capital, it’s not the first time you’re talking to someone. It’s critical that they have that relationship, that trust that’s come through. You know, Scale — I’ve gotten to know them two years earlier just through conversations, and I built that up so that when we were time to raise that next round, that was an easy conversation versus “Let me tell you who I am.” That’s a critical piece. In terms of taking capital, you typically have a sense of what you want. Then I have erred on, “Let’s take a little bit more.” I’m not going to say all you can get because sometimes that’s probably not necessary, and the last thing you want to do is over-dilute yourself with a huge balance sheet when not necessary, and you don’t have a use for it. But saying, “Here’s my plan. Now let me expect it to go south. What do I need to get through to get me back to a good spot?” Maybe that’s working with a bank to get a line of credit, or it’s raising additional extra capital, but I would always go for a little more. I’d always take that round, and right before you need it. We’ve also been lucky enough to raise our last two rounds in a pre-emptive capacity where it’s before we were on that, “Okay, we’ve got six months left. We’ve got to start raising.” We still had money in the bank, but it made sense, “You know what? It’s available now. It’s going to be enough, and we have good, reasonable use for it. Let’s take it,” versus waiting for potentially higher valuation 12 months from now and putting a lot of the stuff at risk.
Alejandro: Very interesting point there, Fred, and very valid. For the folks that are listening, what is the best way for them to reach out and say hi, Fred?
Fred Kneip: I’m happy to talk to anyone in particular. If they’re interested in third-party risk, I’m on LinkedIn, CyberGRX.com – anyway on that sense, I’m happy to talk about business. Or if people have questions about building a company, I’m happy to connect on LinkedIn.
Alejandro: Fantastic. Well, Fred, thank you so much for being on the DealMakers show today.
Fred Kneip: It’s been my pleasure. I really appreciate it.
* * *
If you like the show, make sure that you hit that subscribe button. If you can leave a review as well, that would be fantastic. And if you got any value either from this episode or from the show itself, share it with a friend. Perhaps they will also appreciate it. Also, remember, if you need any help, whether it is with your fundraising efforts or with selling your business, you can reach me at email@example.com.