Peer Effect
Best way to scale? Your peers have the answers.
This is the podcast for scaleup founders looking for insightful, actionable wisdom from some of the best operators around. Each week we’ll explore one secret that other founders and experts are using right now and how to implement it.
It’s practical wisdom to build the company AND life you want. Hosted by renowned founder coach and advisor James Johnson.
You’ve survived to £1m, now let’s scale to £10m+.
Peer Effect
There's always one move left to make - with Chris Kirsch of runZero
Chris is the founder of runZero, a cyber asset management company. Chris has been acquired six times, IPO’d once and is one of the few black badge holders of Defcon.
Chris had one of his greatest challenges right after college at the start of his career.
The whole business was dependent on a key encryption licence which was about to be withdrawn. It would take a year to replace properly. They had less than a month.
His CEO was a great role model for Chris. He was calm under pressure and willing to take risks and had a mantra “There’s always one move left”... Chris just had to find it
Could he do it in time?
In this episode we discuss,
- Making bold moves and taking risks in business;
- Where hard work and resilience can take you;
- Why taking a step back and reassessing situations with a fresh perspective is essential.
Tune in to hear how Chris made strategic decisions that skyrocketed his career and got him to where he is today.
More from James:
Connect with James on LinkedIn or at peer-effect.com
James: I'm delighted to welcome Chris to the show today. He's the co-founder of Run Zero, a cyber asset management company. He's been acquired six times iPod once and is one of the few black badge holders from Defcon. Welcome Chris.
Chris: Thank you for having me.
James: So some very interesting stats in that. Uh, but what, what are we, what are we going back to?
Chris: So for, for this story today, we're going to party like it's, uh, 1997, not 1999. Um, I had just gotten out of college. First job. Uh, we had, um, OEMed a. A technology from another company called pgp. And this was a year later when I got the distinct hunch that they weren't going to renew our OEM contract, and our entire business was relying on that.
So I, I went into the CEO's office, my boss, it was a pretty small company, and he, you know, I, I said, Hey, these guys aren't getting back to us. We have to extend the contract. And, uh, I, I fear that they're not going to do that. And like how we, how are we gonna do that? How are we gonna continue the
James: So, so just to set the scene for listeners, how, how important was this, this, this RM license to your product?
Chris: Yeah. So we, we have to, I, I'd like to set the scene a little bit in terms of the, The environment at the time. Right. So this was an encryption product in the late nineties, and the US government had a law in place that would prohibit the. The export of strong cryptography. So in the US you could have, you know, like your, I don't know what it was at the time, like the, the browsers like a, a Netscape and so on, or Microsoft encryption had 128 bits, which was the, you know, considered strong encryption at the time.
But when any US company would export encryption, it would be cut down to 40 bits. So that meant that. Organizations like the N S A could inspect the traffic and, and break that encryption. And when I say like 40 to 128, it's not like three times as much. Each bit doubles the strength of the encryption. So you can see how 128 is quite a bit higher than 40, right?
And so this, this guy called, uh, Phil Zimmerman, he, um, came out with this open source software. Called pgp, which is stored, uh, short for pretty good privacy, which was kind of like tongue in cheek where he made, uh, military strength encryption, quote unquote, you know, available to the masses for the first time so that you could send, uh, emails in an encrypted format around the world without any government having the ability to inspect it.
And now on today, you know, we've got signal that's all. Very normal. We, we kind of expect that, but at the time, that was very new and his idea was that you should be able to whisper into somebody else's ear halfway around the world. And that technology had been invented in the US so it couldn't legally be exported.
But, um, they figured out a way. I think they, they, um, Um, figured out a way to get it out of the country. I think it was a, a clone where basically some guy in Norway, stale Chuma, um, built it based on, uh, Phil Zimmerman's original library that the whole thing was based on and so on. So, uh, now it was available outside the us.
Um, the, um, the FBI was actually going after. Phil Zimmerman for that because they thought that he was possibly breaking the law. And this was no, uh, small thing. This was basically classified as war ammunition. So this is like a pretty serious offense. And we were on the other side. I was working in Germany, and uh, there was demand for strong encryption in that world.
And we said, all right, how about we take. That PGP version and build, which was command line, it was super hard to use. And we build a graphical user, fa face on top of it, integrate it into Outlook so that you can just send an email and it's encrypted automatically in the background and it's decrypted when it comes in.
So super transparent. So we had written. The ux, the integration, all of that stuff. But we had licensed the PGP engine from PGP Inc at the time. And so if you have a user interface that OEMs the core part of what it actually does, then that's pretty critical to your business. Like without that, if it doesn't encrypt, then you, you can't sell.
Right. What would you sell?
James: You, I mean, you're basically starting Outlook.
Chris: You basically still have Outlook, right? So, yeah, so that was a, a, a pretty serious situation. Um, PGP had, um, this is since we're talking mostly to other founders here on this podcast, it was a really. Interesting way to license the software because we couldn't officially license it. We weren't, they weren't allowed to export it.
Uh, we had gotten it from a server in Norway, so the contract, and this is where I learned, I, I had started to get an appreciation for how creative lawyers can get. Um, the contract was a covenant not to sue for trademark and copyright infringement, so it was not an o e M license. It was basically them saying, we will not sue you for using the PGP trademark and we will not sue you for using our copyright.
So it was pretty weird contract to start with. And then PGP got acquired by a company called Network Associates. Um, they were basically a merger of, uh, McAfee and a few other companies, and I think PGP was wrapped into that. And so the management had changed. The landscape was starting to change where, um, the, the legislation was changing where it looked like all of that export control was going to fall for mass market software.
And so we saw the writing on the wall and I think Network Associates did as well. And they said, well, if we can go and sell our stuff internationally, then. This company in Germany, they're, they were called, not a very easy name to pronounce for Americans or British people, especially with the Umla. Um, that company is gonna be a competitor to us, right?
And so I, I was looking at that from the other side. And they had also then started a project where, They had brought out a new version, PGP five, I think it was. Uh, and they figured out a loophole in the legislation where you couldn't export software that had encryption in it, but you could export books that explained how to do encryption, right?
First Amendment, freedom of speech. You can, you can print whatever you like and. These books often had, um, code samples in them. And the code samples were also on the CD in the back of the book, if you remember. This was late nineties, so we were still, this was, you know, like, download from the internet. I was like, yeah, you know, takes a long time.
So you, you still pack it, uh, packed a lot of CDs and so, uh, one person, I forgot who this was, basically sent a. A cryptography book to the Department of Commerce and said, Hey, can you give me an export classification on this? And this was without the cd. And they said, well, duh, it's a book, you know, so here's the Export Export classification.
And then he sent the same book with a CD with a code samples on them and said, can I get an export classification for that? And then the Department of Commerce was like, oh crap, we messed up. Because it's the same thing in electronic format. So, um, What PGP did is they published a book that was 6,000 pages long.
It was not bound, and it basically was the source code for the PGP five engine. So it was open source, but it wasn't open license. So today, when we talk about open source, we think about it as, yes, you can read the source code and you can inspect it to make sure that there's no back doors in it. But we also always assume that it's free to use and that is.
Under the law. Those are two different things. So you can open source something where you publish the source code, but you're still not allowed to use it freely without permission of the author. So they had published this book, it had an I S P N, you could order it on Amazon or whatever, and it wasn't bound so that you could ship it to another country and they shipped it to Switzerland and they would, they then had another entity there that would scan it in.
Uh, OCR it. So optical character rec recognition. Basically automatically read it in, compile the code, and now you had a, an international version of PGP five that had, was completely clean from an export control perspective. So again, ingenious, creative way to get around laws. So hats off to the lawyers, right? And so we could see PGP forming. An international business and we were in their way and that was what got me really worried when they weren't, um, responding to our calls.
James: Okay, so just just to recap, this is your, this is your first business at university. You decide off the bat to u use something which the FBI are coming after, which is, which is a bold move in itself. Um, you've built,
Chris: We were merchants of math.
James: You've got, you've got them doing clever. So the people you're licensing it from licensing but not licensing it from, uh, are better change their mind and cause they've come up with clever ways, thanks to lawyers, to get round the export restrictions.
And you see sort of the writing on the wall for this bit, the core bit of your product, which encrypts it basically being taken away from you. So you, you end up kind of just having like an, an unencrypted. You're selling encrypted email without any encryption.
Chris: Yes,
James: so how, how does that conversation go with your ceo? So,
Chris: So first, um, you know, I'm always, uh, I've always been the one that's a little bit more pessimistic and more concerned, and he's always been the more that's, uh, more optimistic and so on. And so he is like, ah, no, no, I'm sure they're gonna renew. And like, why would they do that? And so on. And then, you know, like a few weeks.
Later we were, you know, they still weren't getting back to us. So we were thinking, okay, this contract's gonna run out. We'd better make a move before it runs out. So first thing we said is, alright, like long term, how are we going to run the business? If we count license from them and. One of the, uh, folks that was associated with PGP was working on a draft for an open PGP standard.
So an RFC request for comment. Basically an open standard for the PGP format didn't mean that we could freely use the software, but now there was a published. Um, standard on how people could interact with PGP and make their own implementation, which gave it more legitimacy against other standards like sime that were out there for email encryption.
And so that standard wasn't final, but it was close to
James: Mm-hmm.
Chris: and we had a, a draft in our hands. So we thought, okay, what if we just build a clone? So if we build a clone of the PGP engine, I mean, not an exact clone, but something that can talk to other PGP implementations that has the same encryption strength that is actually made in Europe, not in the us.
And uh, so we started on that path and this was what we called the the Open PGP engine. Then we said, all right, how long is that gonna take us? Probably about a year. We, we, we guessed about a year. I think it ultimately took us about 18 months as it's a, a big complex beast. And it's not just, you know, you, you have, um, the, the encryption algorithms themselves that you need to implement.
You, uh, had to, uh, create good random number generators because if you. Create predictable random numbers for encryption fees, then it's easy to crack and smell. So there's a lot of care that goes into it before you can even start building the actual encrypted email. That's then like a, a higher level thing.
So it took us, we, we, we thought it was gonna take us about a year to build that. So then how do we survive? That year,
James: Mm.
Chris: we, we were attached to a bigger consulting company, so we were essentially a spun out, a spin out. So we had a little bit of. Uh, support from that side as well. But we thought, okay, how do we make sure that we don't lose our market, our active deals that we're in, uh, our existing customers and so on.
And so we looked at the O E M contract that was still active at the time, and this is where I think their lawyers, I. We're maybe creative, but didn't lock us down enough because the agreement was that we would have to pay a certain percentage, I think it was like 5% or something like that. We would have to pay 5% of any earnings that we got off of our product back to pgp, but they didn't have a pricing floor, right?
There was no dollar number of like 5%, or at least this dollar amount. So we thought, okay, if we can saturate the market enough for the next year, that everybody who's even remotely considering buying a piece of software like this in the next year, if we can incent them with a super low price to buy right now, then we don't get a lot of cash in the bank, but we'll block the market for everybody else.
Right. And so, uh, what we did at the time is we, uh, pushed out a campaign and I think the, the cheapest license was like at a certain level it was a buck a seat, a dollar, like a, well actually I think it was Euro already, not Dets mark. So a euro per seat. And, uh, we got a lot of companies to buy. All the ones that were on the fence said like, This is a no-brainer.
Like even if we don't have resources to deploy this right now, this is such a good offer. We're gonna go for this. And I think it only worked because we gave them the the why. Like we told them, Hey, this contract is expiring. We're building a clone in the meantime. So you have continuity, the price is gonna go up over time, but for the next year you can use this for super cheap.
And so, uh, so a lot of companies went for it. We had, uh, big like aerospace companies, car manufacturers. We had, um, industrial automation manufacturers and so on, uh, with tens and hundreds of thousands of seats that bought our software and that helped us. Get a little bit of cash in the door, but also just really block out the competition for the next year.
So, um, that was a, a really interesting move at the time and, uh, really helped us get through that dry period.
James: How, so when, when, when you were sitting there with your, with your co so talking through these options, it sounds like you're quite early in your career at this stage, and these are really quite so, like, so that we're talking international, we're talking like high risk. We're talking how, how, how did that feel having having those conversations?
Chris: Uh, daunting, right? Uh, it was, it was super interesting. I mean, what a way to, to start your first job. You know, I think in 1996 when we did the OEM contract, I wasn't even full-time with a company. I was still, um, working. I just finished college. I was working daytime as a graphic designer in an agency and evenings for the software company.
And in 97 then I switched, uh, full-time to, to working there. But it was just way more interesting than, than working as a graphic designer and just, uh, yeah, uh, really, really good start. And uh, my manager at the time, Chris Cana, who was the ceo. Wasn't that much older than me, but had already run his company for a few years.
I think he might have even started like just out of high school or when he was still in high school or something like that. I think just out of high school and first started trading computers and consulting, then some software stuff and so on. Uh, we, we initially tried to launch an antivirus product, uh, that was integrated into exchange.
Um, and, and then switched over to encryption because that was a, a newer market, less saturated market. And he is somebody who is very creative, um, very calm, under pressure, and willing to take risks. And this seemed like a pretty good move at the time, you know, so. We had limited moves, but there's one thing I learned over the years is there's always a move left in almost any situation,
James: Hmm.
Chris: right?
You just gotta think it through, like think through all the angles, like there must be another move here, and there's probably several, and then you can broaden your options and pick one. That, uh, that works best for you at the time. And quite honestly, you needed a little bit of luck too if the contract had looked differently, if the open PGP standard hadn't come out at the time.
If our customers would've said, no, we're not gonna buy. Nothing of this would've worked. Right. Uh, it would've been a, a lot harder. And so, uh, yeah, it, it was a cool period. It was scary, but it was a cool period.
James: I only thing I really like about this is, is, is the solution came from shifting the timeframe. Because if he looks at you and, okay, well we've got. A month before we lose our product, we basically lose our business. There is no way to replace it in a month. Okay? If we, if we shift the game to a year, what does that open up?
Because from a month perspective, you've got no solution. But actually by shifting the timeframe, we talk about a lot on this podcast, like extend the timeframe and it opens up different solutions.
It gave you more variables and, and you really went and it felt, again, it feels very bold. It's kinda like just locking down the entire market and going after these big companies with big seats, sort of as a, as quite as, as quite nascent entrepreneurs early in the career. These, these are, these are bold steps.
Chris: Yeah, and we were already talking to all of them, right? We already had deals in the pipeline with these companies. If we were net new, it wouldn't have worked. Because we were already a known entity, we had started to build trust. Right. Um, that was a, a real option. And also there was, um, PGP was I think the only vendor at the time that could really get into the German market because of their philosophy of open, uh, open source.
Not open license, but open source because. Even more so than now, uh, the Europeans and the rest of the world were really afraid of US industrial espionage, and they wouldn't trust any foreign encryption, any u especially us encryption. And so PGP was kinda like the only, the, the only player that could really get into the German market.
And, but we were from Germany. Producing crypto in Germany. So it was, we had an edge on that even then. Right. And especially when you're thinking about some of our customers, you know, Uh, car manufacturing, very internationally competitive industrial automation, internationally competitive. This is a co this was a company that also made nuclear power stations and you know, like stuff like that, um, that, uh, was part of the, uh, military industrial complex aerospace.
Same thing. Very competitive on the commercial space. Also very involved in the, uh, in the military industrial base. So, They weren't really willing to use US crypto in their networks because they didn't trust it. Right. So that was a unique situation
James: I mean, Edward Snowden showed that was a completely flawed, flawed risk, right? It wasn't happening ever.
Chris: Yeah. Yeah, yeah. Um, Snowden happened much later. Right. And Snowden kind of showed some of the things that the N S A was doing in later years. But even at the time, there were cases where, for example, uh, Enercon was, I think there were a German company making wind, wind turbines, and this was not email, but they had sent, uh, plans of a new design.
Over, I think it was an open fax line or something like that. It wasn't even over the internet, uh, between two, uh, two locations. And then when they went to file a patent in the US for that technology, they were blocked from filing that patent because another US entity had already filed a patent for that same thing.
And not only did the other company have the same idea, They had submitted the original drawings from Intercon to the us uh, uh, U S ptl. So it was clear to them that, uh, you know, somebody had gotten these drawings and handed them over to the other company, and when they investigated it, it, it was fairly clear, or at least clear to them that it was intercepted communication.
So, How that happened exactly. Whether that was government involvement, whether that was something else, I don't know. It could have also been an individual. I don't remember the case from that time exactly. And I'm not sure how, how much is public. Uh, but that was a, a big example of industrial espionage. If we forward to today.
I think, uh, yes, there's still still some level of distrust between the US and the, uh, and Europe, but the game has shifted a little bit where, uh, now the west is more united and is worried about China and Russia. Uh, so that's kind of the, the big block of alliances. And, uh, I, you know, there are cases where, uh, for example, Russian, uh, VPN software, Russian security software was resold in Germany under a different name.
And, uh, people figured it out and then, you know, kind of ditched that technology and so on. So there's always that game of another country trying to infiltrate a nation's, uh, security systems and, and providing technology that undermines the, uh, the security of their. Military of their, uh, commercial operations and so
James: Well, I think what that highlights is that something you said before about. You'd built those relationships actually going to the market without relationships and going, Hey, we've got this really cheap piece of software for a year. Stick it in your power. Plants, planes, et cetera, is not gonna be a successful strategy without trust.
Almost, almost, almost the under, like reducing the price reduces the trust.
Chris: Yeah. Yeah, well, uh, but we, we explained the situation, right? We explained the situation. We were quite open with 'em because they also knew that the pgp, uh, software was the underlying technology underneath the ux. Uh, PGP was also at the same time coming out with their own ux.
It was no longer command line, but they integrated with, with Outlook and so on, or Microsoft Exchange client at the time. And so it, uh, I, I, I think the, the trust was built by having the previous conversa, uh, previous relationship by being very transparent and by saying, and we've got an off ramp for you to get off of US technology onto a German
James: Mm.
Chris: right?
James: I th I think, again, it's one of these things come up time and time again. It's kinda this, this, this transparency with your customer is really important. Cause then you're not, you could have a very open conversation with 'em around the technology. You, oh, by the way, all this time we, we, based on this, this US technology, but also just building
this trust that you, if you're having to respond in a crisis without the relationships, without the back work, it's very hard.
It's, it's, Sometimes it's work. You don't realize that it pays off. It can feel like it's not paying off, and then suddenly it's when everything goes wrong, it really pays off.
Okay, so, so if, if, if we play this forward, your year, your years, your projected years up, what happened? You've, you've locked up into these nice, long year long contracts. You're ready, you're ready to come to the party with replacement.
Chris: So, uh, we did, we did come out with the Open PGP engine, uh, 18 months later, um, and built a, a, a really good business based on that, retained a lot of the customers and so on. It also, by having to re-architect the product, it also opened up another avenue for, for us, because now we were no longer the only player in the, in the central European market.
So we thought, okay, PGP itself is one standard. There was a, a fight between two slash three standards at the time, and if you're trying to, let's say build a fax machine and there is three standards, it's pretty tough if, if you can't send to everybody, right? Imagine that. So, but if you're the, the one fax machine, and we're talking about email, I'm just using fax machine as a, as an, um, analogy here.
If we. If you're the one fax machine that speaks all three standards and you just talk to each fax machine in the standard that it wants to be talked to, then you've got a leg up. So what we did is we, we partnered with, uh, two companies, um, to use their encryption technology. One was for, and one was for.
For a standard called pem, which was more, it's an international standard, but it was really only adopted in US gov in in German government. So we built one engine that could, uh, send in all three formats. Receive in all three formats that made it more universal in a world that was still converging on, on one standard, right?
And, uh, that gave us a leg up going forward. So we had the more modern approach, more future proof, uh, approach and so on. And, uh, yeah. So, so that really worked out.
James: And so did what, obviously you're doing something different now. What was, what was the end of that story? Did you.
Chris: The, it's, it's almost, I'll give you the short version, uh, because this is like, the next parts are, almost enough for another podcast, which is why I was hesitating to go into it. So just around the time when we finished up the Open PGP engine. We got a, an offer for an acquisition, uh, from a company called Biodata, which you've probably never heard of.
Um, but they were, at the time built as like the German competitor to sis to Cisco. They had the, the most successful I p O in the, on the German version of the nasdaq, the Noya marked. And so this was like a high flyer, you know, like in the news all the time. And so we, we got acquired, we integrated into that company and so on.
Flew around the world, I think in the first couple of months. I was, uh, first in, in Las Vegas for Comdex and then in in Taipei for, uh, uh, Asian. A sales meeting or something like that. So really interesting times. But then we figured out pretty quickly that, hmm, this company looks a little different from the inside than it does from the outside.
And, uh, so they actually, uh, ended up going bankrupt. Shortly after they acquired us, I think it was less than a year. And, uh, so, so we, we were a subsidiary. So as you know, by definition, we kind of, uh, went into bankruptcy, bankruptcy with them, and we decided that our business was worth something and we worked with the, um, But the trustee, uh, the, the government appointed trustee to buy out the assets, so the intellectual property, the office furniture, all of that stuff.
And we retained all of the employees and refound the company and rebuilt that business. And then, um, that was, I think in 2002, and then in 2005, Uh, PGP had spun out again from Network Associates a few years earlier, and they came to us and made us an acquisition offer first. First, you know, they were puffing their chests and say like, oh, we're gonna crush you, et cetera, et cetera. And then the next conversation was like, Hey, do you wanna maybe be acquired instead of getting crushed? And, uh, so yeah, we got acquired by, by P G P. That's one of the reasons, uh, I, I landed in the US and uh, then 2010 PGP got acquired by Symantec.
And 2019, uh, Symantec, uh, got acquired by Broadcom. So now it's like in the belly of the beast. Somewhere, somewhere out there. I, I doubt that our code base is still active, but you never know.
James: That's amazing. That's true. Like I love how circular that is. But um,
so how does that lead to today? So if you were to look at where you are today, What? What do you think you took from taking from that sort of experience that's really stuck with you in what you're doing at Run Zero?
Chris: Yeah. So this was my first exposure to working in a small company and, and thinking in a very entrepreneurial way, right? And so, uh, today we have. A lot of different competitors right, in all different fields. Um, it's quite fragmented because we're in a, in a field that overlaps with a lot of other fields.
We do, um, we call it cyber asset management. Basically, we tell people what's connected to their network so that they can make smart decisions on how to protect it. So we typically sell to the threatened vulnerability management team. Incident response teams, sometimes the penetration testing teams and help them truly understand what's connected and how both in the IT network, in the OT network.
So those are kind of like factories and biomedical devices and, and those kind of things. then, uh, in the cloud and with remote users, and you can't really start your, your security journey, your security program, If you don't know what you have and understanding, that's become harder and harder over the years as the environments have become more complex.
So that's what we do today. And when you think about that, we compete with a lot of other companies around the fringes. So, um, Endpoint detection, response, vulnerability management, um, companies like ServiceNow that do, um, uh, item om it operations management. They, we, we don't do exactly what they do, but we overlap a little bit.
So it, it creates opportunities, but also friction with these companies. And so kind of thinking through strategically, like how do we interact with that ecosystem and what's the best play and so on. That's really interesting. And then, uh, also, you know, Run Zero is a lot larger than Glucan Canyon was at the time, at least the, the software part.
Actually, overall it's, it's larger, but I still consider ourselves a, a, a small company. And so as a small player, you need to be really smart in what's the right move and how can you be nimble and turn on a dime when the situation changes. So that's something I've learned. And like I said, there's usually at least one move left.
So even when you think. As an entrepreneur, you're in a corner. Take a breath, take a step back, and just think through the situation and and broaden your options.
James: So I really like that. It's a really nice, nice place to finish. It's kind of just, there's always one move. left. Just take, take a moment or a couple moments, pause and think it through.
Chris: Yeah. And if, if you're too stressed in the moment, maybe, um, call up, uh, some of your friends that are familiar with the space or that are entrepreneurs just to get an outside perspective and get some coaching.
James: Oh, I'm bars, so, or even the coach.
Chris: Yeah, true.
James: Boom. Perfect place to end. Thank you so much, Chris. I've really enjoyed that chat, and thank you for sharing.
