Gaurav Banga's Balbix Is a Global Player in Preventing and Repairing Cybersecurity Breaches
Gaurav Banga never intended to start a series of cutting-edge high-tech companies. His latest is Balbix, based in San Jose, California, one of the world's most advanced cybersecurity platforms.
"I'm an accidental entrepreneur," he told Startup Savant. "While I was earning my Ph.D. in computer science at Rice University, I had intended to be an academic. But when I started applying for faculty positions, I realized I would be teaching undergraduates without knowing much about their future industry careers. So, I took a sabbatical for a year to work in industry, and I had so much fun, I never went back."
He served as a senior engineer at Network Appliance, Inc., which had gone public in 1995 and thrived until the Internet bubble burst in 2002 (it eventually recovered and became an S&P 500 component).
"I felt invigorated by the fast pace of innovation in the private sector," he recalled. "At NetApp, I loved the challenges involved in building large and complex software that powered systems such as Yahoo! Mail, Dreamworks' production of 'Shrek,' and the big banks of New York. As a side project, I also took responsibility for overseeing security requirements in the company's products. That is when I first became aware of the need for better cybersecurity solutions."
Cybersecurity was not top of mind just yet. Banga left in 2003 to co-found and become CEO of PDAapps Inc., a software developer for smartphone applications. This was before the iPhone, when a small fraction of the population walked around with strange-looking and large phones with a screen: Treos, BlackBerrys, Windows smartphones, and Symbian devices.
"I initially had no clue how to run and scale a business," Banga admitted. "But I was fortunate [to] have many mentors, and one of my earliest was Norm Meyrowitz, president of Macromedia [a graphics multimedia and web development software company, before it was acquired by Adobe in 2005]. He was an avid fan of our products and was very helpful in the success of PDAapps, which produced the world's most popular mobile instant messaging app, VeriChat."
Meyrowitz and other mentors guided him through the process of becoming acquired by Intellisync Corp., a provider of data synchronization software for mobile devices, in 2005. Banga served as vice president of product management until Intellisync was itself acquired a year later by telecom giant Nokia.
By this time, Banga had been awarded quite a few patents and, as of the moment, holds 72, clustered around some of the technologies and related inventions he created. These include his work on network protocols, storage visualization, instant messaging, and micro-virtualization.
"The way my brain is wired- I am always looking for problems and inefficiencies in the daily lives of people and how technology might be harnessed to help. This leads to innovations and makes life interesting and energizing," he said. "My advice for anyone filing a patent for the first time is to work with a good patent attorney and not to think you can truly understand what you need to do on your own."
In 2006, he joined Phoenix Technologies Ltd. as chief technology officer and senior vice president of engineering, where he would remain for the next four years.
"At Intellisync and Phoenix, I learned a lot about how larger mid-size companies make decisions, everything from strategic direction and investments to talent and scaling," Banga recalled. "At Phoenix, my team enabled most of the PC industry, shipping more than 130 million endpoints with our firmware and software every year."
Operation Aurora and Bromium
By the time Phoenix was acquired in 2010, Google had disclosed that Chinese organizations with ties to the People's Liberation Army had penetrated its systems. Other companies targeted by what became known as Operation Aurora included Adobe, Yahoo, Symantec, Northrop Grumman, Morgan Stanley, and Dow Chemical. According to security software maker McAfee, the primary purpose of the attacks was to gain access to and modify source codes.
Banga had come to realize just how vulnerable so many organizations were and co-founded Bromium to eliminate security breaches by providing a new type of protection against advanced malware called micro-virtualization. This isolates user tasks, such as accessing the Internet and opening questionable attachments and files.
"I spent about nine months in my home office creating the first implementation, and once I was convinced that the technology was sound, I raised a Series A round of financing and set out to build a team," he said. "We took another year to enhance and perfect the product and then start selling to customers for production use."
Bromium was funded by prominent venture firms, such as Andreessen Horowitz and Intel Capital. By 2014, it had many of the Fortune 500 and a number of US, Canadian, and UK government agencies as customers, as well as the New York Stock Exchange. Bromium was ultimately acquired by one of its OEM partners, HP Inc., in 2019.
"I'm exceptionally proud of what the members of my team accomplished at Bromium, and we learned a lot of lessons we applied elsewhere."
Some of Banga's tips for leading a startup:
- "Startups exist to solve problems. Be in the painkiller business. Understand everything about your customers' pain that would motivate them to buy your product."
- "Talk to at least a couple of dozen of your potential customers about what they would pay for a solution to their problems and use the insights from these conversations to shape your product specs. Don't get too attached to your original idea."
- " Continuously size up your market. Be your own devil's advocate and challenge each of your assumptions repeatedly."
- "Make sure the market is big enough, then learn to tell the story of why and how your team will build a massive company [that] will attract investors."
Balbix and the New Era of AI-Driven Cybersecurity
Balbix raised its Series C round on the heels of 250% annual recurring revenue growth in 2021, including four multimillion-dollar deals closed with Fortune 100 companies, as well as 200% growth in new enterprise customers all over the world, Banga noted. "We are now in sales cycles with dozens of Fortune 100 and similarly-sized international companies."
John Chambers, the former CEO of Cisco Systems, is an early investor in Balbix and recently wrote, "I believe in Balbix's future as a disruptive player in the cybersecurity sector because they ensure that senior business leaders, such as CEOs, CFOs, and board members have a way to accurately understand their cyber risk, make the right decisions, and deploy automation to reduce their risk."
The range of industries served by Balbix includes natural resources, manufacturing, medical devices, insurance, banking, utilities, retail, and many more.
"Our customers tend to be the world's leading companies, and we encounter a lot of variation in their needs, even among those in the same industry," Banga said. "Companies are investing in their security teams, and the C-suite and boards are paying much more attention to cyber threats. The challenges of cybersecurity are no longer a human-scale problem that can be analyzed and treated in the traditional way because the attack surface is exploding."
There were times when Balbix's team of less than 30 was presented with projects that were 20 times the size of anything they had done before, and they had to go without sleep for as much as 48 hours at a time for a month, Banga recalled. “It is awesome, truly awesome, and a huge privilege to work with the Balbix team. What our engineers do is magical and inspiring.”
He says that Balbix uses special algorithms to help leaders understand and visualize the scale of the threat to their cybersecurity "posture" (which is everything from the condition of their IT infrastructure to human behavior that affects their vulnerability). Banga says its approach is "at least a hundred times better than alternatives, using advanced artificial intelligence to maximally automate their proactive vulnerability and risk management systems. We have an enormous opportunity."
Many companies, however, do not even gather the data they need to understand their situation, and if they do, the amount is overwhelming.
"Too many CISOs [chief information security officers] put off putting together the building blocks of an automated security posture and just add more security controls," Banga observed. "They end up with siloed data and tools."
Why Cybersecurity DIY Is so Risky
So, what is Balbix's real competition?
"About 80% of the time, we encounter a do-it-yourself approach by organizations with a home-grown solution that combines their team of everyone from security engineers to data scientists with data management technology and business analytics to deliver a unified picture of cybersecurity," he said. "But DIY risk modeling is not easy to get right and almost always fails to provide executives with the information they need to make business decisions. It is also problematic in that the process and results are often subjective, with different opinions in each organization about what is ‘acceptable risk.’ And DIY is not sustainable from an ongoing investment perspective."
Balbix has spent more than six years and $70 million so far building its cyber risk quantification (CRQ) offering "with more than 60 data science and data engineering specialists, plus many other engineers with specialized skill sets working full time to improve it further," Banga explained. "The gap between what we offer and what DIY by a handful of people at a particular company can do is large and growing wider every day."
How does he see the security challenges and solutions evolving with an increasingly distributed workforce?
"The broader range of options is here to stay," he answered. "Just as remote work turned out better than expected during the height of the pandemic, hybrid workplaces will do well. Cybersecurity will just require more automated, flexible, seamless, and employee-centric solutions to allow everyone to productively take advantage of this new way of working. With the traditional security perimeter gone, it will become increasingly important for security teams to know what devices are accessing their network, the data they hold, what applications they are running, and who is accessing them, what risk this brings, and actions needed to mitigate this risk — all in a near-real-time and data-driven manner."
About the Author
Scott S. Smith has had over 2,000 articles and interviews published in nearly 200 media, including Los Angeles Magazine, American Airlines’ American Way, and Investor’s Business Daily. His interview subjects have included Bill Gates, Richard Branson, Meg Whitman, Reed Hastings, Howard Schultz, Larry Ellison, Kathy Ireland, and Quincy Jones.