In this episode, Doug C. Brown speaks with Jim Simpson, the CEO of Blumira. They discuss how a company’s culture is critical to ensuring lasting success, why strong leadership transcends the workplace, how businesses of all sizes can protect their cybersecurity, and more.
Jim Simpson is the CEO of Blumira, a leading cybersecurity provider of automated threat detection and response technology. He has over two decades of experience growing successful security startups. Simpson joined Blumira as Vice President of Product and was responsible for guiding the company’s strategic product roadmap, with a focus on accessible, easy-to-use detection and response technology. In December 2021, he was named chief executive officer of Blumira. Before joining Blumira, he led product management at Duo Security, an access security provider that was acquired by Cisco in 2018 for $2.35 billion. He also led engineering and UX at the network security company Arbor Networks, which was acquired by NETSCOUT in 2015. Simpson holds a B.S. in computer science from the University of Michigan.
Visit his website: www.blumira.com
I have another great guest. His name is Mr. Jim Simpson. He has a company called Blumira. They’re at Blumira.com. He’s the CEO of the company. We’re going to talk about how to use culture in valuing employees, how you can raise your revenue in your company, and why it’s important. This guy is fascinating. He’s got a lot of very interesting things to say. I was taking copious notes throughout this interview because I was learning much from him. He has built companies up to 800 employees and they sold off to large companies like Cisco. They used culture and valued the employees as the bedrock or as part of the bedrock of growing the company.
Believe it or not, you have a culture in your company, whether you like it or not. It’s the way it is. Your culture can be very supportive or non-supportive. I bring up an example of a company, as we were talking about, where I find the culture and the end user experience are shifting. It would be interesting to see where their revenues are going to go over time.
They’ve been having some revenue challenges. I believe, in part, it’s because of the cultural shift that’s going on with the employees in this company, not Jim’s, but another company, which we all know, which I will name in the show, has been shifting. That’s causing people not to want to go and buy from this particular company.
We’re going to start with culture, then we’re going to shift to cybersecurity because Blumira is a cybersecurity company that handles small and medium-sized businesses and makes it affordable. I wanted to get some cybersecurity considerations in on this show for you because a lot of times, small or medium-sized companies don’t pay attention to this because it’s not cost-effective.
Blumira is able to make it cost-effective but when we neglect these things, they can come back and bite us. I’ve had it happen to me as well in my companies. That’s why I bring it forth. Let’s go talk to Jim right now. You’re going to enjoy this. Get a pen and paper or a digital notepad. Take some notes. Here we go.
—
Jim, welcome to the show. Thank you so much for being here.
It’s my pleasure. Thank you for having me.
We’re going to talk about culture and value in employees. It’s one of those things that people go, “That’s a great idea, but how’s it help me grow my business?” If somebody was saying, “You’ve been from startup to $5 billion or $1 billion, you’ve been all over the all over. How does valuing your employees and building on a culture create revenue growth in a company?”
I saw this happen at my last company called Duo Security. We had a CEO, a fellow named Dug Song, who was very intentional about culture. What was interesting is that when we were 30 or 50 employees, it was hard to tell what the culture was because startup days are chaotic. It’s like being on a pirate ship and you’re on the rough seas. It was hard to tell in those early days. How it manifested itself later was a hugely successful company where in spite of having almost 800 employees when we exited, still felt very familial and had low egos throughout the organization. If you looked at our P&L, you would’ve been shocked at how well we were doing.
For me, it was not the fact that we were hugely successful. It was how we were hugely successful. The other interesting thing is that there’s this expectation of people having this idea of a startup versus corporate. How do you define corporate? Is it the size of a company or a way of doing things? The fascinating part for me about that culture was when we got to 800 people, we were a corporate organization. We had plenty of G&A and processes. Our finance people were doing finance things, but we didn’t feel like we were a big company.
We were punching at a big company level and it felt like we were still a small company. The reality is when you have a great culture, it drives results and it feels like you are having a lot of fun in the process. The results followed that we had a great product, but we wouldn’t have that great product if we hadn’t had a great culture. Because we have a great product, we have great sales and because we have great sales, we can continue to build on it.
Having a great culture drives results and makes it feel like you are having a lot of fun. Click To Tweet
You said something cool here, and I want to come back to it because every person I talked with, maybe with the exception of two, has always wanted a small company feel in a big company. They wanted to feel like they mattered in some capacity. I won’t name names of companies I’ve worked with, but they didn’t know they had a division or another manufacturing plant 50 miles from where they were because they were big. When you get to a certain size company, a lot gets lost and people feel like they’re a number. Eight hundred is a very good size company. It’s not 150,000 employees, but it’s still a good size company. How did you do it? How’d you pull it off? I know a lot of people are thinking like that.
First of all, I do think a lot of it has to do with your leadership, repetition of the stated goal of building culture and using that to infer every touchpoint with the organization. A number of the things that went into that. For example, our company had biannual kickoffs when we were a small company every six months because we felt that as when we were a startup, things were changing often and we needed to get everybody together and have a conversation about everything that was changing so that everybody could stay on the same page.
In those kickoffs, we always made sure every part of the organization had some voice. Sometimes we would do cool things like get a panel of people from different parts of the organization and then ask them all what their perspectives are about something that we were doing, both positive and negative, to create this idea that we were one team.
Another thing that went into it was, as we became multi-site, we were intentional about where we located activities. We also made sure that our leaders were going between those sites on a very consistent basis so that we could bring the culture there. We also were thoughtful about how we time things because we had on our headquarters were in Michigan, but we had offices in California and London. We were always thinking about, “When do we time certain events so that we can make sure everybody is able to participate?” Being inclusive across the organization was important.
The other part about it, which is pretty interesting, is a lot about bringing people together. There was this strong idea about pushing decision-making down. It’s one way of saying like, “How do you empower people? How do you make them autonomous in their roles?” In my career, I hear people often say, “I want to be strategic.” Sometimes you give them that opportunity and they both had it because they’re like, “Being strategic is hard. I want somebody to tell me what to do because I’m scared.”
The flip side of that notion of pushing decision-making down was learning together and creating the support and the structure so that people could grow. We had our own culture day that everybody would go through on a monthly basis so they could learn about what we believed in, how we did things, what the history of the company was, and how we do meetings and all of those things to create our own consistent culture. We operationalized it.
In big companies, you’ll find that finances and HR are in their own area. We made sure that everybody was doing their role as best as they possibly could. We had a lot of specialists in all these different departments. You could learn to depend on people for certain things as well and remain connected. It evolved too. It wasn’t one day when we figured this out, but every quarter, every year, we were checking, “How do we continue to build on this?” because we don’t want to lose it.
You have had an inclusive environment throughout because you had eight hours between London and the west coast. I know from doing a lot of events that it’s hard to pull off. People go, “What are you talking about?” It’s hard to pull off between eight hours, especially on a corporate workday. You were allowing decision-making to be pushed down. People felt autonomous and felt a sense of responsibility. What I got out of this was that you had a leadership team that actively worked on this.
Let’s say there’s a company that is doing $15 million. They’ve been slugging it out and getting there. They don’t have the culture, but they want to pull the culture together. Everybody has a culture, but it’s not a well-thought-out strategic culture like I’m hearing. Where do they start? For example, they’re a startup company or they’re doing $50 million but their culture isn’t what they want it to be.
First, I’d be impressed that they got to those numbers if they hadn’t thought about that because it’s hard to do if you aren’t thinking about culture. I’d say congratulations to them. Second, I would say, “You have this opportunity now to turn that into something even bigger by focusing on your people. I would ask them a lot about, first of all, do they call it HR? Do they call it people?
I think that there’s something about that. In the early days of Duo, we called it people and culture on purpose because we wanted to focus on the fact that there was a cultural aspect to it. We also looked for people who had high EQ for those functions who could look at the organization and see how’s it going. How are people feeling? How are they doing? We had a people ops team who was dedicated to focusing on building out that culture.
I would try to see how they are facilitating it. Is one of those things where it’s HR ops, where you’re focusing on making sure people get their benefits and what have you? Are they thinking about, “We should have a management training thing that we send everybody to? We should be getting people together on occasion to go through what our values are. We should have a way for people to give praise to each other.” Are they doing any of those things? Are they doing any lightweight things?
We called it Coffee Roulette at my last gig. We call it a Coffee Chat here at Blumira, but effectively it’s a way to match up different employees across the organization so that they can meet each other. I participate in that. I am not above anybody in my organization. I want to hear from them and I want to know who they’re and what they’re doing. A lot of times, we get to talk about personal stuff, but a lot of times, people are like, “I’m with the CEO. I’m going to ask hard questions.”
That probably would lead to another thing, which is transparency. How much do you tell your folks to create those cultures? In leadership, you’re in that hard spot. You need to tell people enough so that they could be effective. You want to tell them enough to be transparent and there’s all of the other stuff that’s challenging, but you have to be intentional about that transparency and give people enough and trust that they’re going to do good with it. That will then go on to the next layer or generation of folks that come into the organization.
I’m unemployable, but I would love to work for you. It’s awesome to hear and refreshing to know CEOs who talk like this. I don’t want to pick on certain companies because I don’t want to get sued by Amazon or Whole Foods. But I’ve been finding lately when I go into, let’s say, Whole Foods, that the cultures shifted and the employees there are now talking a quasi-disparaging type of conversation. They’re not as happy.
I hear them commiserating behind the counters. I can feel the shift in the culture going on within the company. I’m not picking on the company or singling it out, it’s nothing personal. I was there recently. They usually have a good customer service logo up on the wall. I’m thinking, “Nobody is living into this mission any longer in this place.” If a company is at a huge gigantic level and they’re slipping with the culture or they’re transitioning away from what they deem the employees to be valued, how will somebody possibly pull that back? Have you ever been in that position?
What that makes me think about is leadership. You have to like look at the values of leadership. The CEO has a lot of things that they can do. One of them is to choose to be intentional about it. When we look at the historical values of Whole Foods versus Amazon, there is a difference there. Once you become part of that parent company, unless something is very explicitly decided in the terms of the contract, you are likely to be subject to whatever the culture is that you’re going into. We did have an exit at Duo. We got acquired by Cisco, which is an 80,000-person company.
It’s a Silicon Valley figurehead that’s been around for a very long time. It’s a very successful company but not traditionally a software company and not necessarily a security software company. They’ve done a lot of security software acquisitions over the years, but much of their business still comes from hardware. We got to witness how acquisitions went for other parts of the organization versus how it went for us. What I’m proud to say is that more or less what remains of Duo Security inside of Cisco is the R&D team.
The R&D team had a strong culture. What’s fascinating to me is that I do believe that the Duo product is still one of the highest-performing things in their software portfolio. That part demonstrates to me that culture can still drive results post-acquisition. The downside is that management on the Duo side has a more challenging time because of the difference in culture between Cisco and Duo. You’re fighting several years of culture there. What’s interesting about Cisco is the very top of the organization, the executive leadership team is interested in making changes to culture.
Culture can still drive results post-acquisition. Click To Tweet
When you’re in an organization that size, even with the best of intentions, things move a lot more slowly than you might want. Folks like me jump off to startups because we like to be in little fast pirate ships. We’re not necessarily interested in being in a comfortable cruise ship, although every once in a while, I look at my tax returns and think, “Those were fun days at Cisco.”
There are pros and cons to it all. In fact, I had a former employee of mine who left Cisco to go off to a startup, and he’s had some challenges. As a mentee of mine, we were chatting about his opportunities and I said, “You’ve got to decide what you want the next phase of your career to be.” He was afraid like, “If I go work at Cisco again, isn’t that like I’ve failed?” I’m like, “No.”
If you want a great place that’s stable with good benefits and you want to learn to become a manager, you have got many people there who are going to help you. It is not losing. It’s doing a great thing. Sometimes you’ve got to go out there and get perspective to see what you want to do. None of this is bad, but it was challenging and some departments within Duo that migrated to other parts of Cisco don’t exist anymore because the parent culture was too strong for them to persist inside of it.
I’m going to deviate here because there are a lot of entrepreneurs that are reading this. You said something and I don’t even know if you know how brilliant that was. Maybe it did. We’ll see but it’s what I got. I’ve talked with many entrepreneurs who worked as I did. I worked for major companies. Then I went out on my own. In some cases it went okay. In some cases, it imploded. When it imploded, I went back to the company I worked for to regroup. I learned much from that experience of my project imploding and then going back and then having that fully different perspective. That’s the word you used.
That is a growth phase for people to capitalize on it. If they take the exact attitude you said, “It’s not a failure. You had a bump in the road and if you’re going to be an entrepreneur, there are bumps. That’s the way it goes. It’s part of the game.” That was brilliant advice for people. If you don’t succeed the first time, it’s okay. I would argue it’s part of the process of becoming a very successful entrepreneur to make mistakes, as painful as they can be. You are the CEO of a company called Blumira. They are a cybersecurity company. Why don’t you tell people what you do because it’s pretty cool.
We’re going to do a quick pop quiz here. We might have done this before, but I’m going to ask you again. How many days do you think it takes for a company to detect and remediate a breach on average?
The IT guy in me should say, “It takes 24 hours,” but I know it’s longer than that. Is it 5 or 10 days? I’m not sure.
With Blumira, you could do it in 24 hours but the average is over 280 days. It’s 212 to detect it and 70 something to remediate it on average. It’s come down over the years, but that’s a long period of time. The challenge is that a lot of the tools that are out there are built for big organizations that have the resources to bring to bear to operationalize them from a cost and staffing perspective. There are a lot of companies out there that don’t have security people.
It can take a company over 280 days to detect and remediate a breach, and it's even longer for smaller companies. Click To Tweet
Security people are expensive. They’re in demand. They might be lucky if they have 1 IT person or 2. Blumira helps those small organizations prevent, detect, and remediate breach before it happens to them. Because we’re focused on small businesses, it’s critical to make it super easy to buy, set up, operate, and manage. Ideally, also, it’s easy to interact with us. Our mission is to help those small organizations avoid getting breached, but if they do, help them solve it even faster than is in the market.
280 days is 9.3 or 9.2 months or something. Your data is gone by then.
There’s a lot that happens. Whenever I read about a big organization getting breached, I feel for the people who have to work in security and IT there because they’re probably doing their very best. It’s challenging, especially in large organizations. Even smaller organizations too. Since there are a lot of folks and vendors out there who already focused on the upper part of the market, my career for the last decade has been focusing on like, “How do you bring security solutions to the underserved population in it?” Duo was all about multifactor off. This is another level of complexity, but fortunately for us, the technology is here for us to do it.
I’m excited about what we can do. The thing that’s interesting to me is that when we have customers, they usually don’t leave us. We’ve had a 100% CSAT score since we’ve been measuring it for 2021. In SMB, that’s amazing. If you want to talk about culture and how that informs things, this is how it manifests itself. It’s possible to do this. I’m excited to see other organizations go down this path because there are a lot of people and companies out there who need help.
When you’re talking about SMBs, Small to Medium-sized Businesses, are we talking about companies that anybody can use? Here’s the reason I’m asking this question. A lot of companies that are smaller or mid-size companies don’t think that they’re ever going to get breached until it happens.
The way we sell our product, we sell directly to customers. Probably the biggest challenge there is market awareness. Do they know that there’s an issue? If they do, do they know how to solve that? The other way we do it is indirectly through a channel, through MSPs, where we see a lot of success because, fortunately for the people who consume their services through MSPs, MSPs are very savvy and smart and are like, “This is a good security thing.”
The MSP has peace of mind. Their customers aren’t going to get breached, but then the customers are benefiting for us. The number one competition competitor when we’re dealing with direct customers is to do nothing because they haven’t been breached. There’s a lot of work to be done there on the education side, which is pretty common when you’re going into a market that hasn’t been tapped before with a product.
What does MSP stand for?
It stands for Managed Service Providers. It’s very common for very small businesses to use an MSP to outsource their IT. They don’t have to have that IT person and someone can handle Google, Zoom, and all of that stuff for them. Increasingly, we’re seeing even larger companies begin to take advantage of MSPs. Traditionally MSPs are focused on the IT side of things. It is an interesting tool for them because it is a security tool that’s built for IT folks. They get it immediately. It’s easy for them to get up and running. It creates value for both them and their customers.
I was talking to my two daughters the other day and they’re like, “We don’t want to go to a cashless society because we don’t want to wake up one day and find out we have no money left in the bank.” They’re 21 and 23. I found that from a perspective of an older man, like, “Wow.” I remember when ATMs came out, the older folks wouldn’t put their money in there because they thought it would eat it and never get their money back. For a small to medium-sized company, what damage could result from a cyber security break?
There are a number of different things. Probably the most common thing we see is ransomware, where a company will not be allowed to operate until they pay a certain amount of money to whoever’s holding them hostage. It’s a little different like if you’re getting into specific verticals. If you get into healthcare, HIPAA has fines if people’s personal information gets stolen. They are targets because the value of those fines is high that they can command high ransom.
We’ve seen some prospects and customers run into this over the years. It’s surprising to them when it happens. Anybody can be a victim at this point. It’s whether or not someone decides to knock on the door and see if anybody’s there to do something about it. You don’t know when it’s going to happen. I don’t like talking about it from fear, uncertainty, and doubt. Based on what I’ve seen, there is no safe place. It’s a question of when, and is there any perceived value to the company that somebody could take advantage of?
Could it be where their employees are looking online that creates these issues?
Can you give me an example?
I was working with a wireless security company one time and I was shocked at the statistics of how many men and women view porn and go on to online betting sites and things like this.
A good example of that is remote work. Let’s say somebody is at home. They look at something on their computer that installs some Trojan or virus onto it, but they’re also doing work for their company. All of a sudden, you’ve got a situation where somebody might be able to get into corporate because somebody is working from home. There’s a whole philosophy on how you want to manage that proactively called zero trust where you don’t trust people’s laptops or desktops or them until they have proven validate that they are who they say they are, that the computer is up to date and has no viruses.
It’s a challenging architecture to roll out. We’re on the other side of that where we’re like, “If something does happen, we’re going to point it out to you before it gets too bad you can do something about it.” Most of the time, nobody who works for an organization intentionally sets up their organization for failure. There are a lot of points in technology where these things can happen, especially as we’ve gone remote.
That would be huge for a CEO to protect themselves because even the PR fallout of certain things could happen. Every time we see a big company breached, it hits the news for sure. Even in a smaller company, I wouldn’t want the CEO or the presidents of banks, an attorney firm or anybody who has a fiduciary relationship to find out my place was breached and have to deal with the fallout of that PR issue. They ought to take a good close look at it. The reason I’m saying this is because I know a lot of companies that are smaller, with 50 employees, tend not to look at this.
They think they’re flying under the radar. I totally get it. I’ve also seen companies like that get breached, unfortunately. That’s the hard part. There’s a whole industry built around like when you do post-breach called incident response. That’s paying people to figure out how to fix it all for you. We need to educate people a little bit more about the dangers that are out there. The other thing is it shouldn’t be terribly expensive to do this either. The other part of what we’re trying to do here is making this affordable for those small organizations to do so because, traditionally, the vendors that are out there are quite expensive when it comes to providing solutions for organizations.
If people want to get a hold of the company and you, do they go to Blumira.com?
Yes. If you want to, you can sign up for a free trial there. We allow you to protect your Microsoft 365 environment. We’ll give you some insight so you can try the product out, but the entire idea here is that most organizations are using Microsoft 365. There’s a lot of good data that you can use to determine whether or not you’re doing okay. We want people to try that out, see it, and if they find value in it, feel free to call us up or maybe we’ll reach out to you and see if there’s more you want to do with us.
I saw that on the site that was no credit card down or something like that.
You want to make it easy for people to try stuff out. We put ourselves in their shoes. I don’t know if you ever go to a website and you’re like, “I’m going to try this thing out.” Please enter your credit card. You’re like, “How do I feel about this? I don’t know who these people are.” You don’t want that barrier. You want people to be like, “I’m going to try it out. If they get value, great. If they don’t get value, no harm.”
Thanks for much for being on the show. Thanks for bringing your A-game. I’d love to have you back on the show. We’ll dive deeper into the security side.
You’re welcome. It has been my pleasure. Thank you for having me.
—
What’d you learn? I learned a lot. If you are going to create a culture, it starts with leadership. We all know this, but how many of you are proactively taking time in building meetings with your team, executive staff or upper-level management on how to build your culture? That is the key. I was telling Jim I worked for a company, it was called PAETEC Communications and a man named Arunas Chesonis was the CEO of that company. The executive team was amazing. We built that company up and I say we because we all worked there. That company eventually sold off for $2 billion. Our stock shares were happy at that point, but we were all happy to be there.
Jim creates an organization and a company where people are happy to be there. It’s been a long time since I’ve worked for a company, and I was thinking through this process, “If I would’ve met this man, I would’ve gone to work for him. I worked very long hard hours for a lot of different companies and I would’ve done the same for him and made them tens or hundreds of millions of dollars in sales every single year.” Why would I do that? It’s because part of the culture makes us want to do that. You probably have been in an environment in the past where you’re like, “This is amazing. I want to be here. I’m into being here.” Hopefully, that includes a significant relationship in your life and you still feel that way.
When you’re at work and you feel that way, your employees transcend into the business, into the people buying from you, and they can feel it. Have you ever been to an organization where you’re like, “These people are happy to be here and I’m happy to be here buying from them?” It’s infectious. We can’t help ourselves. Create your culture and values around there and value your employees, especially when things are going on more than ever. Value your employees. That doesn’t mean you don’t fire people or don’t move people to new places.
It means to value them because that’s what they’re looking for. Speaking of value, cybersecurity. If you haven’t looked at cybersecurity in your company and you’re a small, medium-sized business or you’re a large business, please do so. It only takes one instance to cause a lot of damage to the architecture of your company. It impedes sales processes. It can be a PR nightmare too. Even my companies, I’ve had a couple of them where we had some cybersecurity issues and people got in there, got past the firewalls and did all that stuff back, especially when it wasn’t as sophisticated as it is now. We’ve learned.
Please don’t learn the hard way. The easy way is a lot easier to learn. If you want to check out Blumira, please do as well. As always, if you love the subject, please go give it a five-star review. If you have a subject that you may be an expert on or you know somebody is an expert and they might want to be on the show, please send them our way or come our way by yourself. Send an email to YouMatter@CEOSalesStrategies.com and we’ll be happy to review and we will answer all inquiries.
If you have somebody yourself or someone you know who wants to be in the top 1% of earners through selling, let us know. Send me an email at Doug@CEOSalesStrategies.com. If you want to optimize and build revenue in your company, we can help you out. I want to thank you for being here and reading. Please tell your friends. The more people who read, the more people we can help, and the more we grow as well. I’d be truly grateful.
As usual, go out and sell something. Sell a lot of it. Make some friends. Play win-win. Make them happy. You’re happy. They’re happy with your product of service. You’re happy that you have a new customer or a repeat customer and you’ve made some additional funds and it’s a win-win play. Until next time, to your success.
