Marten Mickos, the CEO of cybersecurity firm HackerOne, says the key to succeeding in security is “pessimism or cynicism.” However, Mickos doesn’t have the traditional background of a security boss; he was previously the CEO of database firm MySQL and cloud software firm Eucalyptus, as well as a high-ranking HP executive.
Those very traditional IT companies are a long way off from HackerOne, which offers cybersecurity researchers “bug bounties” to find flaws in the products of customers like Adobe, Dropbox, Square, and Uber.
Fast Company recently spoke with Mickos, a native of Finland, about switching over to cybersecurity, what it’s like to interview for CEO with the CEO you’re replacing, and the difference between Silicon Valley and Europe.
Here’s how he explained his career switch:
I joined HackerOne in November 2015. I was contacted by Bill Gurley of Benchmark, who was one of their early stage investors. I know Benchmark very well, and I have led two companies in their portfolio, in fact.
Bill called me and said, “Hey Marten, I heard you’re ready for your next step, and boy do I have this amazing opportunity for you . . . ” At that point, it didn’t trigger any particular reaction in me.
Interviewing With The Person You’re Replacing
I was actually thinking to myself, ‘Okay, this sounds like a small cybersecurity company, and who would ever want to do cybersecurity?’ I wasn’t sold at all based on the call, but I agreed to meet with one of HackerOne’s founders, Merijn Terheggen, who was CEO at the time.
I think it’s a sign of a healthy company that a founder who is CEO can do the recruiting him or herself. They realize the business is starting to grow, and that they need a pair of hands that have done it before. There was no doubt about what they needed, so it was the CEO who recruited the CEO.
I liked that nobody was being sidestepped or sidelined–it was a decision among all the founders to look for an experienced CEO. It really helped me get sold on the idea; I wasn’t being brought in from the side. I was talking directly to the founding CEO.
In my career, if I get really interested in an opportunity, I will do my own research. I sort of test myself by seeing if I can write a strategy for the company. If I cannot do that, it isn’t a good fit. But if I can write the beginning of a strategy, that’s a sign I understand the business strategy–I wrote some ideas and showed a few drafts [to the hiring board], and asked if it made sense. That was a way for them to test me, and for me to test them, to make sure there’s a good alignment on what the company needs to do.
What The Security Industry Is Like
There are industries that have very strong behavioral patterns and norms. Security is one of those. For most people in this segment in the past, for many years, it hasn’t been easy to come from the outside in. But it’s changing.
Security used to be more of a closely knit group of people who did just that, and were a little bit separated from the rest of the software industry. It’s now opening up, and more welcoming to anyone from an adjacent space like myself.
It’s interesting for me. To be good at security, you need to be paranoid, suspicious, doubtful, and sometimes a little bit cynical.
Especially in tech, there are so many opportunities where it’s just the upside. It’s very positive and happy, and success is based around building something new. But in the security space, it’s about protecting, defending, and removing threats and weaknesses.
I think in the past, the security industry perhaps overcorrected on being cynical. Now, it’s a more balanced view where you have to be paranoid and defend yourself, but you can also take productive, constructive steps to get to your goal.
There’s a difference between large companies and small ones. But you can also look at similarities, and know that any organization has a mission. They have a goal and results to produce, and when you focus on what needs to be done, you can get a small team to operate very well inside a large one.
When MySQL got acquired by Sun Microsystems, it was a beautiful example. Sun Microsystems was a giant corporation at the time with lots and lots of employees–I think maybe 30,000? In we came in with about 500 employees.
But as an incoming group, we decided that the moment the acquisition closed, we weren’t MySQL employees. Instead, we are Sun employees, and we need to do what makes Sun successful.
So we ran our own database business, but told ourselves to change our mind-set on that day to be useful for the whole corporation and vice versa.
I think Sun, as an acquiring company, did a phenomenal job of assimilating us and letting us do the business we do. We gained a lot of connecting tissue immediately with people working in other places; we didn’t remain isolated, but we also weren’t crushed.
Business Culture In Finland Versus Silicon Valley
Silicon Valley is completely unique in the world. In Finland, or broadly in Europe, an hour is not a long time, but a million is a lot of money. In Silicon Valley, it’s the opposite–a million is not much money, but an hour is a very long time.
When you come here, speed of action and agility is paramount. The number of dollars you make or spend or burn or get is less of an issue.
Of course, you always need money, and money plays an important role, but the bottleneck is not money, it’s time. Whereas in other parts of world, the bottleneck is money but not time.
Another difference is the sheer positive mind-set. Americans say, “Good for you,” very concretely. I previously thought they didn’t mean it, but they mean it. Especially in Silicon Valley, people truly are generous to each other about success, and genuinely want each other to succeed. That’s just a wonderful source of generosity, spirit, and inspiration.
I find it extremely rewarding and healthy. You build a healthy society when you’re generous to people you do not know.