Ron Gula’s career sounds like something out of a James Bond film.
His early years were spent as a hacker for the National Security Agency, where he spent time “penetration testing” the US Department of Defense, simulating attacks from countries like China and Iran.
In 2002, he left the NSA to found cybersecurity firm Tenable Network Security. He served as its CEO and raised more than $300 million, including a $250 million round in 2015 that was a record for a cybersecurity firm at the time. Tenable has more than 27,000 customers and went public last year.
Gula now runs his eponymous venture capital firm, Gula Tech Adventures, which invests in cybersecurity startups. His career as both a hacker and successful founder means he is uniquely well placed to make bets on security firms, in an environment where the threat from bad actors is only getting worse.
“Nation states have resources which include time and non-cyber methods,” he tells Business Insider, reflecting on the threat landscape. “If you are targeted by them, your employees could be co-opted, satellite imagery of your house and business could be used to plan surveillance, [and] your phones and text messages may be intercepted.”
Gula hopes his move into venture capital can support the cybersecurity industry, and therefore US security, on a much larger scale than when he worked as a hacker at the NSA.
“Before I founded my VC firm, I was an angel investor for a time,” he says. “It was through that I realised I could work with other VCs to identify the next generation of cybersecurity firms.
“Being a VC in the cybersecurity industry is like having been a pilot and investing in aeronautics. I understand the mindsets of hackers, of nation-states, of small businesses.”
Based in Columbia, Maryland, Gula Tech Adventures has investments in more than 30 companies. Recent investments include RackTop Systems, which raised $15 million to develop secure systems used for storing data, and SCYTHE, a cyber attack simulation platform that secured funding of $3 million.
It’s big business. Research firm Gartner forecast that global spending on IT security will hit $124 billion this year, with organizations protecting themselves from hacks and adapting to rapid technological advances.
The three things Gula Tech Adventures looks for in an investment
Gula says he and his wife Cyndi, who is his partner at Gula Tech Adventures, are very selective about the companies they invest in. They have a list of boxes to be ticked before parting with their cash.
“There are three things we look for in every team [that pitches for our investment],” Gula explains. “One, we have to like them; they have to like us. Two, we’ve got to like the tech — we don’t invest in companies before they’ve fully figured their tech out. Three, the teams have got to be financially interesting, no matter how much we like the tech.”
Yet despite his strict criteria, and his experience as a CEO, the hard-headedness of the VC world is something he’s still getting used to.
“Most people don’t realise just how selective VC firms are. We probably get four or five pitches a day, and we’ve only invested in around 30 companies,” he says.
“When I say ‘no’ to a company, I ideally like to tell them why, but I often can’t, because we get so many pitches. Saying ‘no’ and moving on without explaining things is hard, especially because when I was CEO at Tenable, I was always saying ‘yes’ to things. But you have to say ‘no’ and move on at times. Ultimately, we’re a VC firm, not a think-tank.”
Once companies have Gula Tech Adventures’ backing, they benefit from Gula and his wife’s experience. He sits on the board of a number of the companies he partners with, helping shape the business in a hands-on way. “Between the two of us, we’ve seen almost every phase and challenge a cyber startup goes through,” he adds.
His NSA experience also comes in handy when handing out advice. “If you are a one-person penetration testing army and you aren’t teaching your team, or growing your team, or giving them opportunities, you don’t know penetration testing as well as you think you do, and don’t understand that we are so short-staffed in [the cybersecurity industry]. We need to continuously train more people in this profession,” Gula says.
The one that got away
Gula and his wife may be careful investors, but he wishes they had made some strategic investments earlier on in their careers. The first was on “managed detection response services,” which help organizations pick up threats, respond to breaches, and monitor their technology.
The other would have been venture outside of security. “I also regret not sponsoring Jordan Spieth before he was famous. Spieth’s Dad was a rep at Tenable when Spieth was a promising kid, and we could have sponsored him, but we didn’t in the end. Just look where he is now.”
Gula may have failed to spot the next big thing in golf, but you wouldn’t bet against him investing in a cybersecurity unicorn of the future.