Q&A: Jamie Graves, Founder and Former CEO, ZoneFox
Jamie Graves, founder of ZoneFox, and now VP, product management – security analytics at Fortinet, explains how he made his mark on the insider threat detection landscape with a Napier University spin-out.
Tell us about yourself and how the idea for ZoneFox came about.
Cast your mind back to 2005, if you can, when Harry Potter and the Goblet of Fire was released. I started my PhD with computer scientist Bill Buchanan, who people may have seen giving presentations at technology events throughout Scotland. I did my PhD with him, basically concerning the kind of information or data that was being used to accuse people of wrongdoing on internal networks at companies.
We were of the view that the data just wasn’t of sufficient quality for such serious claims. So we set out to try to understand what would be an ideal form of data – what would be forensically sound and stand up in court and, hopefully, prove the innocence of people.
That’s what I spent three years doing for my PhD – looking into forms of data evidence that would allow us to achieve that. Come 2008, I finished my PhD and we decided to apply for Scottish Enterprise proof of concept.
The goal of that fund was to get research that had commercialisation capabilities, take it from the lab bench, stick it out to market and see whether it would fly or not. We did that for a couple of years and there was some good interest. We spun the company out in 2010 called ZoneFox, and it was recently acquired by Fortinet, a global leader in broad, integrated and automated cybersecurity solutions.
How did ZoneFox develop over the years?
It’s mainly the technology that’s developed. The core concept was the same. You need the right data to solve the right job, and I think it’s becoming increasingly relevant where you have organisations that collect vast amounts of data for seemingly no apparent reason. And, if we think about some of the capabilities we have these days, such as machine learning, you can’t just throw data at these techniques because it’s your classic ‘garbage in, garbage out’.
You need to understand what you’re looking for and the purpose for it. And I think that’s especially true in security, where people are swamped in massive amounts of data and organisations just collect data because they’ve been told to.
Also, not a lot of thought has gone into why you are collecting that type of information, what you are trying to spot, what’s the best way to make sure your security operations team isn’t drowning in a sea of data.
Our philosophy has always been ‘the right data at the right time’, in order to answer the right questions. And the way in which we’ve been able to do that has improved over the years because we’ve got big data now. The technologies have improved greatly since we started out, and the same goes for delivery mechanisms as well.
What were the biggest challenges when you founded and developed ZoneFox?
Finding customers. It’s always been a huge challenge. We were fairly fortunate to benefit from a Scottish Enterprise proof of concept scheme, so that gave us a chance to show people that we were a bit novel and that if they invested in us we would give them good returns. Early investors were – I’m not going to say they were super easy to find – but we had a bit of built-in marketing around that. We had a bit of a glow around us that allowed us to get that initial seed funding.
It was really early customers that were really, really tough to find because our first customers, when they did come in, were startups themselves. At that time all of our customers were high growth, really innovative and were trying to do something new and unique.
They weren’t banks or insurance companies that would have benefitted hugely from the ZoneFox product, but weren’t interested at that time as it was too much of a risk. If I’d realised that sooner, I think we might have grown a bit quicker.
But customers, getting customer feedback, and making sure you fail quickly enough to improve the product – that’s always a challenge when you first start out.
How difficult has it been to find workers with the right kind of skills?
Everything I’ve done ever since I left my PhD has been selling ideas to people – whether that is selling the actual product or selling the vision to investors or employees – or to my wife! It’s about painting that picture, explaining to people that they can go off and join a big company, but they might be a tiny cog in a huge machine and will probably hate it.
Or you could join us, which will be the riskier option, but you’ll get to do loads of different things, learn lots and it will certainly be exciting. That’s one thing it will be. It’s about your skills as a salesperson and I don’t mean that in a flippant, negative way. It’s creating a vision about where you want to go and talking to the relevant people about how you’re going to get there.
The other part of the picture is that the universities in Scotland are really good, and relatively close together geographically. We do have good access to talent. Talent’s always been an issue but it wasn’t as difficult as it is now. Everyone’s running a start-up now and everyone’s in tech. This has really exacerbated a lot of the problems we had.
At first, we hired people who had studied in Scotland and decided to stay here. We’ve also had people who’ve studied in Scotland and we’ve sponsored them through the Home Office to get visas and, eventually, remain here and settle with their families.
What advice would you give to students who are thinking about starting their own technology company?
Get yourself a mentor – someone who’s been there, done it. People who have done it before made lots of mistakes and can hopefully help you avoid some of the bigger ones.
Make sure you quickly understand if this is a proposition that’s going to fly or not because I’ve been at this for 13 years now and I’d hate to have wasted that amount of my life on something that just wasn’t going to happen, or was just completely outlandish.
Persevere. You hear a lot about that in the start-up industry. Yeah, that’s certainly a part of it. But you’ve also got to understand that if you’re working on a project that doesn’t have prospects, then just get out of there.
Some people are wedded to their ideas, but ideas are nothing if you do nothing about them. Don’t be precious about non-disclosure agreements. It’s very rare that someone’s going to come along and steal your idea.
How do you think the insider threat landscape has changed over the past few years?
It has changed and it hasn’t. The broad categories are the same – malware, people breaking in and tricking people into telling them their passwords etc. The technology has evolved slightly. We’ve now got things like ransomware, and we’ve got some people who are like Joker from Batman who just want to see the world burn. They just break into places, encrypt stuff, don’t give the key.
There have been some changes there. But, broadly, the threats are the same. I think there’s been an increase in activity from these particular threat actors, particularly nation states and criminal gangs. These criminal gangs aren’t ideological. They’re all about making money in the easiest possible way. The evolution there has been from things like installing a trojan on your machine that would allow them to have a look at your bank password, break into your bank and steal all of your money. But then banks have become pretty good at protecting against that kind of thing so now they do things like ransomware, which is far easier to make money from because there are fewer potential points of failure.
Criminals are even moving to things like phone scams, social engineering, phoning people up and trying to trick them into providing their personal details. They are always after a quick buck and are looking for the easiest way to do it. The other thing that’s changed is the public’s view of what’s going on.
The first big revelations, around the teens, were about Bradley Manning – the US soldier who downloaded more than 700,000 classified documents from US military servers and published them. That was the start of the idea that there was this ‘insider’ risk within your organisation. You didn’t just have to build big castle walls around your company to stop people. You had a real risk from people internally who were maybe disgruntled or were just making mistakes.
Fortinet announced its acquisition of ZoneFox in October 2018. Had you been looking to be acquired at that point?
Yes and no. You’ve always got your exit plan in the back of your mind because you’re always asked by investors ‘when are we going to get our money back?’, especially those who have been with us for eight years. The exit route for this would have been an IPO or acquisition. The probability of IPO is lower than acquisition, and to get to that point we would have needed more investment to get that growth curve. So we figured it would probably be an acquisition.
I actually thought it would be slightly later than it was, but I think if you look at the market dynamics, we’re in a pretty innovative industry. We’ve got lots of big players looking for smaller companies to compliment what they’re doing. And the particular market segment we’re in is pretty hot. It makes sense it happened right now.
Ultimately, we wanted to build a good company with a great product that our customers wanted. We thought that off the back of that we’d be building something valuable that would provide some sort of exit.
A lot of startup tech companies, such as Blippar, seem to focus on growth without actually making a profit. What do you think about that growth model?
That’s now a classic Silicon Valley model. Amazon was still losing cash up until surprisingly recently. Facebook was losing cash until its IPO and it got its business model in place. But I don’t know how realistic or sustainable that model is.