A Security Merger in the Cloud

March 20, 2017 –Business-school students can look around and see their future corporate partners and rivals. When Rehan Jalil was in the Advanced Management Program at Harvard Business School, he looked around and saw a future business. Most MBA students were using cloud tools to do their work. “Then when they go on to their work life,” says Jalil, “it’s going to all be the cloud applications.” In that moment, he saw the future need for cloud security.

Not If but When

This is back in 2011,” says Jalil. “My conclusion was that the full suite of productivity applications was going to be in the cloud.” He was surprised, then, when CIOs he spoke with didn’t want to use cloud apps widely. Their companies weren’t using the cloud: “The top answer was the cloud just wasn’t secure enough for enterprise.” Jalil knew that as his fellow students went on to do business, they would bring the cloud with them. CIOs wouldn’t have a choice.

“What if you actually solve this issue of data protection, monitoring, and compliance for these applications where the data is in the cloud?” he wondered. “The entire stack of security that existed at that time in the enterprise world,” he says, “had almost no relevance to the cloud.”

He wasn’t looking to add a layer of security to the existing infrastructure. “It was a total new way of doing security,” he says. “This wasn’t going to just be a feature addition.”

Meet the Brand New Security Stack

The conviction led him to raise money to pursue what became Elastica. Jalil already had a relationship at Mayfield. The firm had invested in his prior company, and he was a venture advisor there, serving as a sounding board for Mayfield’s investing partners. “Not everything can be explained with a spreadsheet,” he says. “Being a venture advisor is all about understanding an ecosystem: where are the issues and what are the fundamental new ways of solving those problems.”

One of these problems was cloud security. “When I talked to the professionals who were the guardians of enterprise,” says Jalil, “they understood there was a huge value in going to cloud, but the monitoring control and security didn’t exist. It was kind of like letting go of your data, in the wild, and then not knowing what is going to happen with it. It was a big concern.”

Navin Chaddha of Mayfield immediately understood the opportunity to build a brand new stack of security. “Mayfield led our entire Series A round of $6 million in 2012,” says Jalil.

A Pause Isn’t (Necessarily) a Reset

Elastica wasn’t Jalil’s first entrepreneurial venture. He’d previously founded and run WiChorus, which had been successfully acquired by Tellabs, and some of those same team members signed on to Elastica. Jalil continued to talk with CISOs as the new business started up. “I wanted to validate the feature set we were going to build,” he says. “Literally all the feedback was: we’re not going to be buying any such cloud security for a long time. That was a shock to the system, because we had just raised money.”

He had to make the first of many tough decisions, which was to delay product development for more due diligence. “This happens with many entrepreneurs,” says Jalil, “because you have many options of solving many different problems. We literally put development on hold.”

Mayfield fully supported Jalil’s decision. “Many VCs would have gone, ‘You just convinced me that this was the best thing on the planet to do. Within a month of our investment, how can you turn around and say that you will put this thing on hold?’” says Jalil.

Elastica slowed development and spent the next three months figuring out if they were going about it the right way. “The main issue was timing,” says Jalil. “We knew cloud security was going to be big at some point, but was our timing right?”

What the research showed was a coming groundswell. “Users were choosing to use Google Drive, and Box, and Dropbox, and Salesforce, and Hubspot,” he says, “all of these cloud applications. Those users weren’t asking for permission. They were just using it, and the security teams would be catching up with them. That was our conviction when we came out of this grueling few months of gut check.”

“The entire stack of security that existed at that time in the enterprise world had almost no relevance to the cloud.”
Rehan Jalil

Diversity in Expertise

Another thing that surfaced during the due diligence period was a newfound sense of how many disciplines would be needed to form the Elastica product. Jalil knew from the start that Elastica was approaching the problem of cloud security from the ground up, and the team would need diverse skills — not just security, but cloud expertise, machine learning, artificial intelligence, data science, networking, UX design, scaleout elastic systems. “I am most proud of our super talented Elasticians and we work a like a family together. Its an honor of my life to be working with them,” he says.

“What was shockingly obvious was how terrible the user experience was in security,” he says, likening the existing interfaces to 1990s-era software. To Jalil, this wasn’t just about aesthetics. Design was a security issue because the existing tools were so complex that they led to negligence and errors: “We wanted to have a high-end focus on usability, design, and simplicity to highlight these issues. So we needed a high-end user-experience team.”

Personas First, Customers Later

The company had no real product yet, and no customers. No customer had given us a check at that point,” says Jalil. Elastica was still sorting out who the user would be — and the answer was plural: users. Elastica was focused less on a single product and more on a suite of applications.

He recognized that the security product would be touched by multiple different professionals inside a client company. How, then, would the network infrastructure team differ from the administrators, from the information protection team, and from the incident response teams?

Each of these user experiences was needed by a different persona: How would they actually want to use this thing. The answer was an operations center, quite literally. Elastica developed CloudSOC, its trademarked term that stands for Cloud Security Operations Center. Says Jalil, “In traditional security, you would buy one appliance for data loss prevention, one appliance for firewall, one appliance for intrusion detection, and one appliance for incident response. In Elastica you would go to our app store turn on or buy different apps without having to do any plumbing that you generally have to do with security.”

When to Open the Door

“There’s always the pressure of when to launch your company,” says Jalil, who kept Elastica in stealth mode (“one single-page website, people speculating on what we’re doing”) for as long as possible. “There is market pressure, too,” he says. “You want to be the first one to be out and talking about it.”

There were two options: launch the company with one security application, or wait until the full multi-app offering was complete. “By that time a competitor had launched with one of the features that we had,” says Jalil. “We decided we’re not going to launch until we have the entire framework of CloudSOC together. I think the decision turned out to be right decision.” Among other things, waiting for the complete product allowed them to present it as a premium offering.

Staying Independent

Even before launch, back in early 2014, there was interest from potential suitors. We went to talk to one senior exec, and they had us talk to the entire executive team. It turned out that the company was betting on cloud to be the next big wave.” This company wanted to purchase Elastica. “There was a generous offer for our company,” says Jalil, “which was then less than 18 months old.”

“We, along with Mayfield, decided that we could build something much bigger in terms of the product,” he says. “This wasn’t the right time for the company to focus more on a narrower goal and mission.” Jalil opted to keep Elastica independent and pursue solving the security problem comprehensively.

“From an earlier partnership with Rehan Jalil, we knew his laser focus, deep technical expertise and attention to customer delight. We were honored to partner with him again in 2012 as Elastica, now part of Symantec, created the new category of CloudSOC which addresses security vulnerabilities of cloud apps.”
Navin Chaddha, Mayfield

Going Live and Wide

Elastica launched at the RSA Conference in 2014 as an entire cloud security framework, as Jalil had envisioned it from the beginning. The team was medium-sized, with, as Jalil puts it, “many PhDs from MIT.” Shortly thereafter, the company made headlines by exposing the “Heartbleed” vulnerability, which garnered a lot of press. Gartner, the research firm, listed cloud as the top security priority. “That’s a big deal for such a nascent technology to pop to number one,” says Jalil.

In turn, Elastica announced numerous deals, chief among them Telstra, the major Australian telecommunications company, and Cisco, which became a formidable partner. Elastica became a product sold by Cisco, and its resellers, which vastly expanded its market. “We raised our Series B of about $30 million from Third Point, Telstra and Cisco, to help us grow the company and hire more sales team members,” says Jalil.

Merging to Grow

Cisco remained an essential partner as Elastica matured, so much so that Jalil turned down some potential partnerships rather than risk the relationship with Cisco. The company’s well-respected product attracted several suitors, and by July 2015 Jalil had a new important decision to wrestle with: “Should we get a banker and try to sell the company?”

He decided against an auction, preferring to talk with interested parties and gauge the opportunity. In November 2015, after less than a month of talks, Blue Coat purchased Elastica for $280 million: “There were a lot of public companies interested. Blue Coat was private and cash rich, because it was private-equity funded, though they were about to go public.”

“We decided that Blue Coat would give us the platform that would enable us to link with their 15,000 security customers,” says Jalil. This wasn’t just about scope. It was about complementary products, and a shared customer base. “The buyer that they had was similar to the buyer of our product,” says Jalil.

Blue Coat differed in numerous ways from previous acquisition offers. Jalil says he sought Mayfield’s counsel, and they agreed with the direction, as did the rest of the board. Jalil reflects on the early decision to delay product development, and the various suitors they’d deflected over the years. “The trust Mayfield put in us,” he says, “was invaluable.”