Perch Security breaks the mold in just about every way. Their branding is charming and funny – a far departure from the usual techy, serious branding of other threat intelligence companies. We spent an hour with Aharon at Perch HQ and spoke candidly about cyber threats, talent, and our tech community here in lovely Tampa.
On their Series A funding
Roxanne Williams: Back in October, you guys secured $9 million in Series A funding led by ConnectWise. What have these funds meant for the company, and how have they been used?
Aharon Chernin: It’s not as straightforward as it sounds. We raised the Series A, but before that, we were investor shopping. We had multiple investment opportunities and ConnectWise came in and did a really good job selling themselves and selling their market. Indeed, we were able to select them over all other potential investors because they really were the best. We also liked that they’re local. The main office that I go visit Arnie and crew at is maybe 10-15 minutes or so from our office, which is really nice. You’ll see ConnectWise people here, and you’ll see Perch Security people at ConnectWise because we’re so close.
We’re using the investment money to focus more on their customer type. Prior to their investment, we were selling directly to banks and healthcare providers and utilities – and with ConnectWise, they focus on IT Managed Services Providers, who then in turn sell to the same types of clients. It has allowed us to focus our business on the MSPs, which is building features that they like, which also means ConnectWise integration. So, a lot of the investment money, we’re using to further our ConnectWise integration into their products and to focus on the IT MSP customers that they have.
Roxanne: This is incredibly beneficial both ways.
On Arnie Bellini joining the Perch Security advisory board
Roxanne: I’m judging by what you said earlier that Arnie has joined the board at this point?
Aharon: Arnie has joined the board, yes.
Roxanne: How’s that going? Has he been able to provide valuable insights?
Aharon: He basically made the IT Managed Services Provider industry. He’s seen it from the most immature the industry has ever been to how mature it is today, basically, building it from the ground up – we’re doing the same thing with security in the IT MSP space together. Arnie is able to make a lot of correlations from the beginning of the IT industry and the MSP space to the beginning of the security industry and the MSP space. He’s been a ton of help.
On Perch Security’s growth, prior to funding
Roxanne: That’s awesome. You actually started Perch Security in 2016. Prior to the funding, what kind of growth had you seen in the company with staff expansion and profitability?
Aharon: We’re a startup and we are making the correct amount of money that we need to be making at this point, I guess, is a good way to say it. One of the reasons (on this last investment round with ConnectWise) that we had multiple offers to invest in us was our crazy amount of growth. If you think about software and cybersecurity startups, they normally go a year before they launch with a product, then they slowly acquire customers over time and gradually start raising more rounds and more rounds.
We started in mid-2016. By the time we took this investment round, we had over 100 customers on the platform. When I started the company, we had no product, we had no employees. It was just me and a PowerPoint presentation in June 2016. So, to go from June 2016 to October 2018 and have a company, a product, and over 100 customers is crazy, crazy talk. There are very few startups in the cybersecurity space growing at that rate.
On their Community Defense Platform
Roxanne: Wow yeah, that amount of growth is incredible. Tell us about your Community Defense Platform, for people who are unfamiliar with it. Can you give us the 30,000-foot overview?
Aharon: I’m going to give the IT MSP approach to this. Right now, when an IT Managed Services Provider offers managed security to their clients, they can only do it on a select few clients and then a select few devices that those clients may have. So, it’s a fraction of a fraction as to who gets protected by the IT MSP. With Perch Security, we offer a multi-tenant managed security product that allows the MSP to onboard their clients directly into the platform, and then we manage the client’s security – but we do it at such a cost point that they can manage and monitor all of their clients and all of their clients’ assets instead of just a fraction of a fraction, which is where we are today in the managed security space.
So, that’s kind of the IT MSP picture. For someone who’s not in IT MSP and someone who’s not in cybersecurity, the story is the reason why the IT Managed Services Providers need to offer security solutions is their clients are not IT people. They’re lawyers, they’re doctors, they work at clinics, they’re business owners – they’re not IT people. And the IT MSP comes and says, “Hey, pay us this monthly rate and we’re going to take care of all your IT needs.” But their customers assume they’re providing security services, and they’re not, other than antivirus and a firewall.
But antivirus and firewall are just low cost, low hanging fruit – they do not stop all the threats. There’s nothing that stops all the threats that businesses may see. The last research I read was antivirus, antimalware, also known as endpoint protection, was stopping approximately 3% of the threats that the devices see.
Aharon: With that, you need a security operations center monitoring your customer’s environment to see what threats get through the prevention, your firewall and your antivirus, and then be able to escalate that to the MSP to go out and resolve. So, that’s kind of the non-MSP and the MSP approach. And then if we’re talking to a bank, that’s another story. If we’re talking directly to a bank, we talk to them about cyber threat intelligence, which is what our tool uses to fight threats in the environment that may have slipped past their security tools.
On running Perch Security
Roxanne: Wow, so before this, I actually worked at an MSP and what you’re saying is totally legit: antivirus, firewall, that was it – no security whatsoever.
Prior to Perch Security, you were a director at DTCC and then CTO at Soltra. Can you tell us what running your own company has been like? What are the great parts of being the boss and the not-so-great parts?
Aharon: The great part is being able to create your own vision and be the master of your own destiny, being able to identify a problem and work with a team of extremely smart people to productize the resolution of that problem for our customers. I talk to a lot of folks who either are in college and young and want to create their own business, or who are in the corporate world who want to create their own business. As you saw, I came from a corporate background. I came from The Depository Trust & Clearing Corporation – they’re 10-15 miles up the road in Tampa. They have a campus with over 1,000 people – a very enterprise corporate environment. I moved from that to a startup.
People who work in corporate America think that corporate jobs are secure and last a lifetime. I say there are risks with corporate jobs and there are risks at startups, but they’re completely different risks. The risk of a corporate job is you’re not the master of your own destiny. You’re at the master of real estate costs, you’re at the master of budget approvals, you’re at the master of the economy, office politics, things that are completely out of your control.
And while a startup is risky because you don’t have the bank account size of an enterprise customer, if you work your butt off and make your customers happy, you’ll have a job. Unlike in the corporate world, where you can work your butt off to make the customers happy, you may not have a job. So, it’s been a big change there. Some of the cons are I have to worry about everything. I worry about things the employees don’t have to worry about and I worry about things that the board doesn’t necessarily worry about because it’s my job to think about everything to worry about.
Savannah Starnes: Do you wake up in the middle of the night a lot just thinking?
Aharon: I’ve always got a new worry. I think I woke up at 4 AM dreaming about something this morning.
On his proudest accomplishments
Roxanne: Ouch. On a more positive note, what’s your proudest career achievement? Starting Perch Security?
Aharon: Starting Perch and building this team. I’ve never worked with a smarter team than the folks here and it’s amazing that I’ve been able to get the talent in Tampa that I’ve been able to get, because Tampa is very anti-startup. I remember having to hire people–
Aharon: Yeah. This has been my experience. When I was working at DTCC, we were doing the startup-inside-of-an-enterprise thing. And if I mentioned that we were a startup, I would lose candidates because they were too risk-averse.
We don’t have people with experience for some of the most high tech tools here because we’re not Silicon Valley. Basically, trying to find that talent here was hard, but we happened to manage to do it.
Talent in Tampa
Roxanne: That’s actually one of my questions. In the last few years, have you noticed a positive shift in tech talent? I’ve done about 30 of these interviews now, and a lot of leaders have stated that in the last five years or so, the quality of talent here has increased dramatically compared to what it used to be. Tampa was not recognized as a tech city, Tampa was hospitality, real estate, and healthcare.
Savannah: How does it compare to the talent that you have over in Houston? Is it easier to find good people in Houston or about the same?
Aharon: It’s easier in Houston.
Savannah: Yeah, interesting. It’s bigger, I guess.
Aharon: One of my favorite things to ask developers in interviews is, “Do you do this for fun? Do you do this after hours? And, do you have your own projects that you’re working on? Let me see your GitHub, the projects you’re working on.”
We strongly encourage folks to go and build stuff in their free time and contribute to the open source community. We don’t see that as a threat. In fact, we see that as the ability for you to enjoy making your skillset better.
Roxanne: It’s passion. That’s the biggest thing you need as a developer.
On his biggest “oh shit” moment
Roxanne: So, I asked you what’s your proudest moment, what your biggest “oh shit” moment?
Aharon: We spent about 6 months in stealth mode. It was just a really small team of us, a skeleton team, trying to get this minimum viable product called Perch out the door. I found myself at a conference. Here I was emerging from a much, much larger company, a corporate enterprise company, and it was just me at a conference all by myself representing a company that was 6 months old trying to flag banks down to install our product. And I was thinking, “What have I got myself into?”
I was coming from a reliable paycheck every two weeks to standing in a hallway of a conference trying to flag banks down to talk to me. And that’s one of the, talk to the team about these stage gates of a startup and that if you don’t get through certain stage gates, you don’t have a company anymore. And we were at one of those stage gates, which was, could we get a bank to install our product that nobody else was using yet? That’s a pretty–
Savannah: Tall order.
Aharon: Pretty tall order. But next thing you know, we had 5 to 10 banks online. It was still very scary because we were testing hypothesis, we were selling a product that no one had ever sold or created before, and then the bank is going to have trust you and your team and your product to actually install it. Now, I would say we’re up to maybe 50 banks.
Savannah: That’s great.
On his involvement in the tech community
Roxanne: Speaking of startups and all that, do you guys attend events like Startup Week?
Aharon: I would love to do something like Startup Week, but we are so crazy. If we’re running at 1,000 miles an hour, no one here would be able to turn their brains off long enough to do it. I’ll give you an example. I got a call from one of my security operations center threat analysts on Saturday saying that they had identified a new botnet that no one had ever seen before and no one had ever reported on before.
Savannah: That’s a fun weekend.
Aharon: It was impacting two of our clients, and they weren’t aware of it either. And so, they did a write-up of it and the write-up included screenshots from the threat actors that created the botnet, and the Instagram accounts where they’re selling the botnet from.
Savannah: Oh my God.
Aharon: Back and forth communications with purchasers on the product. Basically, the market for this new DDoS-as-a-service product and we did a write-up of it over the weekend and published it on Sunday so we could be first to market on the information as well as reaching out to our two impacted clients who we’re talking to right now to figure out what types of devices they were. And so, this was a Saturday and a Sunday, which is a lot slower than a Monday through Friday.
They talk about the buzz that a successful startup has when you walk inside the door, and we definitely have that. So, I hate to say this, but depending on if you’re a startup that’s older than Perch Security, you might be able to do Startup Week because you have enough people to delegate certain things to and you can turn your brain off long enough to do it. If you’re a startup that’s Perch’s age or smaller, I don’t know how you’d do Startup Week.
Savannah: Right, you need all hands all the time.
Aharon: And if you’re a developer working for a startup and you’re at Startup Week, how does the company not want to move the product forward? It’s like a really weird balancing act. I would love to do it. I’d love to meet more people.
Roxanne: It’s just kind of one of those fun Tampa things to do to support entrepreneurship.
Aharon: It’s a great place to find talent, probably.
Tech in Tampa
Roxanne: Yes, it is [laughter]. What do you hope to see in the next few years for Tampa Bay when it comes to tech?
Aharon: I would say we’ve got a chicken and the egg problem with startups. You need investors to create new startups and you need startups to pull in investors, and so which comes first? You can make an argument for either side. We do have some investors in Tampa as you see by Perch – we’ve had multiple rounds from different investors in Tampa – but it’s nowhere near being Boston or being Silicon Valley where you’ve got thousands of potential investors. And I don’t have the answer for that. I don’t know which comes first.
There’s some argument to say that the education system pumps out smart people who then want to create startups that then attract the investors. So, it could be that, but then there’s some argument to say that the education system doesn’t create entrepreneurs either. And so, that argument kind of goes against it. I would like to see a real startup ecosystem.
Savannah: When you were starting Perch Security, why did you decide to stay in Tampa, if there so many more opportunities with investors elsewhere?
Aharon: I had my PowerPoint presentation, I was going to venture capital – I have a lot of CEO friends in the cybersecurity space, and they were able to make warm intros to VCs. I pitched to a bunch of them, couldn’t get any money, started, and I realized that I had missed a step that you can’t skip: the seed angel step. Every investment can make the seed step seem optional, but it is absolutely not optional.
VCs are not built to invest in startups that are so young that they don’t have seed or angel investment yet. Once I realized that, I switched my tactics into ‘okay, I’ll look for a seed round.’ I start finding investors in Tampa because that’s where I live, and once you get money from an investor, they always want you nearby to help. They want to help. And that’s how I got stuck here in Tampa.
Savannah: Stuck [laughter].
Aharon: The ConnectWise investment really locks us in to Tampa.
Words of wisdom for tech newbies
Roxanne: Hey, Tampa’s not a bad place to be! We kind of went over this a little bit with the passion bits, but do you have any advice for people looking to get into tech as a career? New grads often have trouble finding jobs because they don’t have the precious 2-4 years of experience everybody wants.
Aharon: Getting a degree in any sort of technical field does not mean you know anything about technology. I feel for the business owners that are not hiring them. Same goes for cybersecurity. I see a ton of unemployable people with cybersecurity bachelors and masters come out of the schools. In my opinion, the way we’re teaching cybersecurity is completely wrong.
Security is easy, technology is hard. It is much easier to take someone that is really, really good at understanding technology, like a software developer or a system engineer or administrator, and then teach them security. These people are going to be way better than somebody who just specializes in security as their career.
And so, with that, if you want to get into cybersecurity, my advice is don’t take cybersecurity. Get some sort of degree in IT or software development or whatever they’re calling it, and then go get a security certificate or certification on top of that, go for an entry-level SOC position, and take your software experience skillset and use that to excel within a team. If you go work at a base level security job and you know a little bit of software development, and you use that to help automate your day job, you will grow within that company. You may not even need to go look for a better job because you’ll have a skillset that’s so different than everyone else within the security team.
So if you’re a technologist, make sure you enjoy technology, make sure it’s something that you do after hours and you’ve got some demonstrable way to show that you do enjoy it and you do it after hours. That’s why I always like GitHub for developers or DevOps people. Show me your GitHub. I want to see what projects you’re contributing to and maybe have some of my other developers review your code that’s already in GitHub.
It also shows us that you’ve got the ability to code even though you don’t have any business experience coding. It also shows an interest that this is something that you enjoy because you’re going to be doing that every day. I’ve also seen GitHub become a warning sign. If I see someone’s that’s got a minimum of 5 to 10 years’ experience writing software or DevOps and they have no GitHub and they’ve contributed to nothing, that sets off a ton of red flags for us. So, it can be both used to your advantage and also your disadvantage as well. But I would totally love to hire people straight out of college who have a passion of software development and demonstrate it in Github, and use technologies that we use today, like Python and Elasticsearch.
On the Perch Security culture
Roxanne: Bird puns. Bird references. Which is the best bird and why?
Aharon: So, our culture – we call it flock culture – is by design. Our brand and our marketing and our product were all built at the same time. One of the mistakes that I see startups do is they think building the product is the most important thing that the startup does. And one of the things that I learned prior to Perch is building the product is important, but it’s maybe 10 to 20 percent of the importance.
Being able to sell the product is just as important as building the product. A good judge of whether or not someone dedicated as much time to messaging as the product, is simply go to a trade show where they have booths, and look at how many bullet points are on the booth behind them. If there are more than six, they’ve spent no time on marketing and messaging. If they’ve got just one sentence of words that’s very impactful, they’ve spent a lot of time on it. So, marketing and messaging is very important, brand is very important.
Accounting is very important and accounting is something that is just normally an afterthought of ‘we don’t have to worry about this stuff.’ What happens if you grow by 100 companies in a quarter, who’s sending out those invoices? Who’s collecting on those invoices? And what happens when they ignore the first one? Because a lot of them will. It doesn’t mean they won’t pay. But most people, when you sign up for Net 30 with them, that basically means Net 60. So who’s doing the follow up? A lot of entrepreneurs think, “Well that’s a good problem to have. I’ll do that myself as a CEO.” Or whatever. But you’ve got better things to do. Accounting is just as important as everything else.
So, with that, we started everything all at once. It was kind of like when we started Perch, we had the big bang: it was nothing at one point, and then several milliseconds later, we had a universe. We did a lot of market analysis, not talking to industry experts because we were the industry experts, but thinking to ourselves ‘what’s wrong with the industry when it comes to messaging and brand?’ and what’s wrong is, everybody looks the same in the security space. They’re serious, they wear a suit.
Roxanne: It’s red.
Savannah: Everything’s red.
Aharon: They wear darker red. They look like someone straight out of an IBM commercial.
Roxanne: It’s always the same branding. It’s those super high techy stock photos and the person touching a little digital circle and panels. Really, it’s all the same. You guys are so different. I love your branding.
Aharon: We’re trying to look different than every other company when it comes to security. We want to be relatable and approachable. Why be a company that’s not approachable by your prospects and customers? You should be approachable, just like any consumer brand strives to be approachable, why can’t a security company be approachable too?
Some of the flock stuff you’ll see around, is like, whenever we’re introducing the team, we might say ‘Meet the flockers’ [laughter]. We have ‘flocked up’ shirts as you saw, we have a ‘we give a flock’ shirt too.
Remember I said when we talk to banks we speak differently than we talk to MSPs. With the bank, it’s all about cyber intelligence. They receive all this threat information in emails and then they don’t do anything with those emails. And so, we had this big campaign with a melting ice cream cone with a face and in the background, it said “Use your threat intel before it melts.” And the character was just a character. The words were what was important. We just had this character to kind of bring it all together.
It became kind of like a cult following within the company [laughter]. This was not supposed to be anything to do, long term, with our brand. It was just an advertising campaign. It was supposed to stop and be done. They came up with a name for him, he’s called Melty. And you’ll see Melty down there. Someone tagged the wall with a Melty.
Roxanne: Oh my God. That’s adorable.
Savannah: That’s so cool.
Aharon: In Houston, I’ll see pictures of random Meltys all around town.
Roxanne: You know you’re doing something right. Is it okay if I take a picture of Melty?
Aharon: Yeah, you can take a picture. Let me try to find you a Melty in Houston.
Savannah: Now, when you guys are doing different campaigns and just coming up with different stuff, is it kind of like an open forum and everyone is just–
Aharon: No, you cannot do marketing by committee. And by the way, finding marketing people and salespeople is way harder than finding developers.
Savannah: Why do you say that?
Aharon: Because you can interview and test the developer. You can do a coding test.
Savannah: It’s very clear what they know.
Aharon: It’s very clear what they know. With marketing or a salesperson, you don’t know what you have until you bring them home.
Roxanne: Marketing is ever-changing as well. Anybody that tells you they understand anything or everything about SEO is full of it.
Aharon: An SEO is not marketing either really.
Roxanne: Depends if you’re a generalist. I do a lot of SEO in my work.
Aharon: I don’t have any Meltys. It’s really sad.
Roxanne: No Meltys.
Savannah: That is sad.
Aharon: And they’ve given Perch a name: it’s Perchy. They’re really creative [laughter].
You’ll see Perchy things throughout the place. So, they have a lot of fun with the brand. People love the brand. We recalled a fun fact that very few people know. We were called Prairie Fire in the very beginning, we have a stealth brand called Prairie Fire – and my whole reason behind that was I see this as an entrepreneurial mistake: they spend all their precious initial time trying to figure out their company name. Instead, start building products, start working on other things, start working on messaging, start working on your voice and your tone, and then maybe your company will emerge during that process. There’s no reason to wait until you have a company name to start moving forward.
On how he came up with the name
Savannah: How did you come up with Perch Security?
Aharon: I was looking for a name that wasn’t threatening. Let me give you some common names in security companies: dark, threat, cyber, intel, smoke, fire, alien, monster. These are all in our security company names. I knew it needed to be benign, the company name.
We started with banks, and banks’ issues are with cyber intelligence. What cyber intel is, is simply someone telling you something is bad. Someone emailed you, “Hey, look, we found this new malware. Whenever it calls home, it uses this specific URL,” and banks receive these emails all the time because they’re members of cyber threat intelligence groups, like the FS-ISAC. With that, since someone is telling you about a threat, odds are they also solved the threat. Knowing what all the threats that your community sees helps you to be able to defend yourself. Perch provides that as part of the features set in our product. The way that I was imagining the name was, you’re kind of perched up in a tree looking down at your community and the threats are seen. That’s where that was born.
Roxanne: Last one! Any further thoughts you’d like to share, anything exciting coming down the pipeline for Perch Security or for yourself?
Aharon: Well, I shared the new DDoS event we found over the weekend. We’re also investigating a few other unknown threats that the market hasn’t seen yet.
Savannah: Interesting. And why hasn’t the market seen those, I just don’t know enough, how are you guys able to see these threats, or positioning yourself to see these threats?
Aharon: Because the security industry is focused too much on the hype cycle and not on securing customers. I’m trying to find a positive spin here, so bear with me.
Roxanne: That was a damn good sound bite though [laughter].
Aharon: So, we focus a lot – as an industry – on the hype cycle. And one of the things that I’m learning about the security industry hype cycle is the hype cycle is not hyping products. The hype cycle is hyping features. You have entire products and companies being built around a feature and not being built around a product – but that doesn’t mean that those features are bad, necessarily.
One of the big cybersecurity hype cycles we went through about 5 to 7 years ago was big data. Everyone thought if they put in a big data analytics platform, they’d find out the threats and their company would be secure. Very few of those were successful. However, today, Perch Security is right on top of one of those big data platforms that hype cycle tried 7 years ago. But it’s not the product, it’s just one of the many features that it has. The hype cycle right now is all about artificial intelligence in the security space.
All the innovation is going into artificial intelligence when artificial intelligence is just a feature that should be added to potentially existing products to help augment what they’re doing today. With that, we have a lot of folks installing these boxes that provide artificial intelligence and they’re not finding new threats. One of the real tests to whether or not a new feature is working within an industry is, where are the press releases? If I am finding new things that no one else has ever seen, I’m going to do like Perch did this weekend and release the report on a new threat actor that we identified.
If other hype cycle tools are finding new threats, where are the reports? It’s just a really good way. And so, with that, we’ve been kind of good at identifying the correct hype cycle features to add and when to add them and how to add them into the platform. Nothing beats an analyst. All the new threats that we’ve been identifying have been by hiring really, really good talent, really good analysts that have a vested interest in protecting our clients and helping to grow Perch Security.
About Perch Security:
Perch Security detects known threats on your network and host, with analysts monitoring your alerts 24/7. Connect to all of your threat intelligence sources. Store your logs for compliance. Access everything through a central application. Learn more here.
Want to nominate a tech leader for us to interview? Fill the form below!