by Sharmeen Ali
Silicon Valley mogul Ashar Aziz is the Founder of FireEye, a company that has been featured in Forbes magazine as Silicon Valley’s hottest startup in 2012. Established in 2004, FireEye provides companies technology and services to protect against malware and cyber-attacks. The IPO of his company in 2013 took Ashar Aziz into the ranks of the world’s top entrepreneurs and the subsequent rise of the company’s share price propelled this technology whiz to a net worth of over $600 million.
A model of creativity, vision and determination, this Pakistani-American fought all odds to succeed as a technology entrepreneur after a modest upbringing in Islamabad. Earning an Undergraduate degree in Electrical Engineering from the Massachusetts Institute of Technology and a Masters in Computer Science from the University of California at Berkeley, he began a career in Sun Microsystems in one of their highest ranks in R&D working as a Distinguished Engineer. After 12 years as a professional, Asher started his entrepreneurial journey with his first start-up Terraspring Inc., which was later sold to Sun Microsystems. His second start-up propelled this technology genius to the astounding success story he is now. In this article, Ashar Aziz talks to Sharmeen Ali about the lessons he has learned through his entrepreneurial ventures, about his company FireEye, and his unique and phenomenal triumph of becoming a technology leader of his time.
Can you tell me about your first company, Terraspring which was the first of your entrepreneurial ventures and where that led to?
Ashar Aziz: “Terraspring was founded on the notion that computing is highly inefficient and managed inefficiently and that there could be a better way to run a computing environment. And that better way was virtualisation. This is as opposed to a physical one-to-one allocation, to task a pool of resources that you can tap into where all the elements can be allocated on the fly to different jobs. So it is workload management on the fly. And the second aspect of that was that the reconfiguration was fully automated. It meant automated and virtualised data centers where software does the job of the reconfiguration of the computers on the fly as opposed to human beings (System Administrators). So what a lot of System Administrators were doing manually, we wanted to be done automatically and in real time. You could shuffle things around. In 2014 that is the main form of computing called virtualised cloud computing. Cloud computing and software-defined data centers were the concept of Terraspring.
There were a number of things that didn’t quite work out well with this company. Firstly, it was a little ahead of its time. It is the mainstream concept in 2014 which started becoming mainstream only three to four years ago. I was working on it in 1999. I raised $100 million in debt and equity financing for the company. We built a million lines of code. Then we sold it in 2002 to Sun Microsystems.
I had an incredible team, some of which I recruited from Islamabad into my first start-up who are also in my second start-up. I had an office here in Islamabad where I put up a small R&D center. When I left Sun to do the start-up I took my team with me. These were software developers from all across Pakistan whom I met when I lectured at Quaid-e-Azam University. These kids grew up in some very difficult environments from Pakistan, where they don’t even have any electricity and running water. They all live in the US now and were with me at the NASDAQ through the FireEye IPO. They were probably five to ten people at the time and I have since recruited many others from Pakistan into FireEye. I have an outsourced office in Lahore that still runs for me where I have 60-70 people and I have been cherry-picking that team and moving them to the U.S. These are the smart engineers, the overachievers who have really moved the needle in terms of product development at FireEye.”
What were the major lessons you learned from your first company applied to the context of your next start-up, FireEye?
AA: “In Terraspring, technology vision was in the right direction but entrepreneur execution was wrong. First of all we made it too capital intensive. We made it a service which meant that I needed half a billion to a billion dollars of capitalisation and I only got $100 million. $100 million sounds like a lot of money but it was too little to do what I was trying to do, so capital intensity is a bad thing for a start-up. So that was lesson number one. Too much capital requirement is a risk factor that you want to avoid. The capital requirement was high because we were going to build entire data centers and offer it as a service as opposed to software. I spent $20 million dollars out of the $100 million just on data centers, just to give you an example, and it was a tiny amount.
The other thing is that as a startup you can’t tackle too many things, or too big a project like a data center. I have to tell Walmart that I want to be your data center and I’m this company called Terraspring, and they’ve never heard of me- you’ve got to match what you’re offering to the scale of the company that you are. Ultimately, you can grow into a big company after you start off small and you earn your way into the trust of the customer. So lesson number two was we started off too big, too mission critical, without any track record of success.
The other problem was the software was complex to deploy. When you build a product for somebody, people think of how it will work when it’s being used, but they don’t think about how it will start getting used, which is the initialisation of the product, or the initial use case. That was a mistake that the initialisation use case was weak for professional services. Once it was working it was all smooth but it would not get working without a lot of effort on the part of the customer. That introduces friction in the sales cycle. So you have to think that before you ever get to the final use case you have to go through the initialisation use case.
All three lessons have been applied to FireEye. The initialisation use case is dead simple. The product is up and running in thirty minutes. It requires almost no effort and starts proving its value almost instantly. Whether it’s a consumer product or a business product the acquisition of that product should be simple.
I got washed out in 2002 because there was an economic collapse. Even though I had raised $100 million we had spent a lot of money. You can never control the economy and other factors that are out of your control. In 2009 there was a worse economic collapse than 2002 but I had seen that movie before and I massively cut expenses going into that downturn so that we could survive that downturn and immediately take off after the downturn was over, as opposed to going down and getting busted in the middle of a downturn. Survivability in tough times is something you have to prepare for and having very low burn as you’re trying to prove the product value proposition and the iteration of the product in the market- to prove the value with a small amount of burn. These are all the lessons that I took from my first venture. This was a lesson for me in adaptive failure response because even though the company was acquired by Sun in 2002, for me it was a personal failure because my investors and employees didn’t make any money. It was close to breaking even at 80 cents to the dollar, but it’s not what you shoot for when you aim to form a company as grand as trying to change the future of computing. I did a domain shift and went into security, which is another important thing- don’t be stuck in a particular domain of practice because it’s much more important to be focused on a problem that represents a large market opportunity versus what you know today. What you know today is an accident of history. You can learn something new which is relevant to building a big important business. So the way to think about it is problem first, solution formulation second and solution engineering third. Threading the needle in the reverse direction is very hard. Unfortunately, most engineers make that mistake.
In the case of my current company FireEye, the problem is cyber-attacks that you know nothing about. The perfect solution would always find that attack and never miss the attack. I had no idea how to build such a perfect solution. I could go about engineering it because I knew that if I do that now I have an incredible product for an incredible market. Now it is a problem worth solving because you’ve already done the market work and you’ve figured out that the perfect solution is something that recognizes an attack, even if it knows nothing about an attack. So it’s going one-two-three from problem definition to solution formulation to solution engineering. And solution formulation can be done even without you being a domain practitioner. I was not a malware researcher at the time I started FireEye. Today FireEye is the number one malware protection company in the world and I’m the inventor of the technology and I’m not ashamed to say that I was not a domain practitioner at the time I started the company.”
You Founded FireEye in 2004. Were you the brains behind the technology or the brains behind the business?
AA: “I was both. I was the Founder, CTO and the CEO for eight years. I’m the inventor of the technology. I designed the blueprint of the architecture. I am the guy who sat in my living room writing long, copious notes on the design of the product. I’m the technical inventor and then I ran the company for eight years.”
When you took your company public in an Initial Public Offering in 2013 what kind of financing did you raise for your company, and how did your company grow as a result of going public?
AA: “I had taken $50 million into the company until the end of 2012. In December of 2012 we did a $50 million mezzanine round so that we could really prep the company for the IPO. So that added $100 million to the company. In the IPO I raised another $300 million in the public market. It was massively oversubscribed so that lead to the run up in the stock price and it opened at double the value. We used the funding to accelerate the expansion of the company in every aspect of the business from Support, to R&D, to Sales and Marketing, to IT Infrastructure. In every facet of the business, we’ve turned the dial towards growth and expansion. We have deferred profitability and the market is sympathetic in that they understand that the scale of the company is too small against the scale of the opportunity. So we have to grow up from a gangly teenager into this big brawny guy really fast. We’re consuming food like there’s no tomorrow and they understand that our food expenses have really gone up. And they don’t mind that we have red ink on the P&L statement as we’re doing this because they know that the model is profitable. It’s our choice when we want to turn on the profitability dial versus the growth line. We are on the growth path right now and the market is responding very positively to our forward momentum of growth, which is one of the fastest in the industry.”
Is that growth taking place within the United States or globally?
AA: “Growth is taking place globally. We are in 100 different countries around the world. We have a direct presence in 40-50 countries where we have our own employees and entities. We are present in North America, South America, Western Europe, Southern Europe, Middle East and Africa. Our indirect presence is in 100 different countries. We have approximately 30% of our revenue from international markets and growing. We have had triple digit growth in our Q4 earnings and that’s a fairly unusual trend. There are maybe two or three companies in the world that have that kind of sustained growth rate at this scale. The broader market is in single digit growth. Triple digits are considered hyper growth.”
To what extent has your workforce increased since expanding your company?
AA: “We were under 3-400 hundred employees just 18 months ago. Then we rapidly grew to 1300 to 1400. When we bought Mandiant, which has 500 employees, our total number grew to over 2000 people. It’s been a four times increase in 18 months.”
FireEye acquired Mandiant in December 2013, in a deal worth a billion dollars. How did your company and its products and services benefit from this merger?
AA: “Our market capitalization is now $12 billion, which is different from what you see on the ticker because the market is not reflecting the fully diluted shares of the company. As far as the product is concerned, we have a portfolio and in that portfolio is Mandiant’s portfolio. The product that we had was a network based product and now we have a network based product that communicates to an end point based product. Endpoint is a host like a PC or a Mac. Mandiant has software that runs on this, which can find an unknown malicious code and it can communicate to our network level product. So we have a full platform, which is why we had a bump up in our evaluation in the market. The market saw the only company coming up with a complete platform to find unknown threats in real time. The other piece of the product is about threat intelligence. People really want to know who is attacking them. It’s one thing to identify the kind of attack but more interesting is to know who the attacker is- whether it’s the Russian criminals, The Chinese intelligence, or the U.S. intelligence. It’s like somebody shot a bullet in me and I can see the wound, so who pulled the trigger? They (Mandiant) have that incredible intelligence about the threat actors. So when you see an attack there are technical artifacts of the attack which you can use to find out who are the attackers. It’s called the attribution problem- being able to attribute the attack to an attacker-and they have the world’s largest and best databases around attribution.”
Are you expecting any bellyaches for this merger?
AA: “We have to digest them really well. There’s always risks in an M&A transaction, but I would say that we have mitigated that risk by having a really seasoned management team that knows how to do M&A. David DeWalt, the CEO that I’ve hired from McAfee is a very seasoned M&A person who has done over a hundred M&A transactions in his career, and so has the team under him. We have a good affinity with the company we’ve acquired because there’s no overlap with what we do and what they did so the roles are completely complimentary.”
What do you consider your company’s most significant strength today?
AA: “We have the best technology and people working together. We have led the way that everybody is imitating. Even large companies are trying to imitate FireEye now. But imitators don’t win the day, innovators win the day. We have innovators at FireEye, then the technology, then our processes. So when you combine people-process-technology that can be a difficult set of pieces to put together in any other environment. Those are our strengths. Also the intelligence that we have about threats is a very murky area. When the national intelligence agency of Russia or China is developing a cyber-weapon they don’t advertise it, so you have to know how that thing works in order to defeat it. It’s a complicated art and we have in-depth knowledge of this very dark art.”
What distinguishes FireEye from its competitors and others in its industry?
AA: “We have come up with a new model for security and this model is based on working on threats in real time without any prior knowledge of the threats. When the enemy is sophisticated, they’re going to make the threat unknown every time. How do you deal with an attack about which you know very little? We have a platform that can find that needle in a haystack, we can pick that needle from that haystack even though we don’t know what that needle looks like and the needle is trying very hard to look like a piece of hay. Everyone else is trying to find a known needle out of a database of needles, but today’s needles don’t map to any database. Their signatures are changing every day. We have that technology that everybody else has been lacking.”
What operating strategies has your company adopted for further growth in the long and short term?
AA: “Our short-range plan is to figure out how to infiltrate into the markets that we can with the existing products, and the long range plan is how we complete the product portfolio and the multiple facets of the business. We have the business platform as well as the product platform to tackle the market opportunity. So in the short term we’re trying to sell our products in the markets and make sure the market understands the technology with an education task in front of us, because people are still buying the old products even though they don’t work anymore to the tune of billions of dollars. The buyers are less skeptical of our products now because of their success in the financial markets. The buyer market and financial market influence each other in a kind of synergistic way. So short term planning is important because the market measures us quarter by quarter. We also make sure in the long term the vector of the business is heading in the right direction, which is that of being the most comprehensive platform and the de facto standard for the defense of cyberspace in the 21st century.”
