On this episode, Jason talks about the challenges of preparing to take QOMPLX public via SPAC, how to ‘be your own enemy’ and improve your ideas, plans, and teams by seeing them from the other side of the board, and the many leadership lessons he learned from his time in the Army.
“Think about spinning the board around and sitting on the other side of it and saying, how would I beat me? And I think if you do that really well, I think there's a lot of reasons why being your own enemy in that context is something that's a really valuable skill for thinking aggressively about how to improve your own ideas, about how to improve your own plan, and how to improve your own team.” — Jason Crabtree
---------
Episode Timestamps
Episode Timestamps:
*(2:00) QOMPLX’s founding story
*(5:00) The press coverage of ransomware and its overall uptick
*(8:00) The structure of the criminal enterprises
*(11:00) The main habits that have allowed Jason to be successful
*(13:00) The similarities and differences between West Point/Deployment and running QOMPLX
*(16:45) The similarities and differences between growing teams as young military officers and as a private sector CEO
*(19:30) A crash course on leadership and team dynamics
*(22:55) How QOMPLX is different from its competitors
*(25:55) QOMPLX’s acquisitions to date
*(29:35) The future of QOMPLX and the problems they are trying to solve
*(33:20) Jason’s learnings on the SPAC process
*(37:05) How funding affects QOMPLX’s mission
*(39:30) The future of society with QOMPLX achieving its mission
Links
Connect with Jason on LinkedIn
Connect with Eddie on LinkedIn
[00:00:00] Jason: [00:00:00] Think about spinning the board around and sitting on the other side of it and saying, how, how would I be. And I think if you do that really well, I think there's a lot of reasons why being your own enemy in that context is something that's a really valuable skill for thinking aggressively about how to improve your own ideas about Riverdale and plan, how to improve your own team.
[00:00:21] Producer: [00:00:21] You are listening to OnPoint a show about veteran business leaders, entrepreneurs, executives, seers, and social innovators who made a name for themselves in the military, and then took the private sector by storm. This show is hosted by the founder of the old grad club, Eddie Kang.
[00:00:38] Eddie: [00:00:38] Hello, welcome to OnPoint.
[00:00:40] This episode features an interview with Jason Crabtree, CEO and co-founder of complex at risk analytics software provider that helps companies protecting and cybersecurity threats. Jason is a veteran of the war in Afghanistan, former captain in the U S army first captain at west point and a road scholar.
[00:00:56] On this episode, Jason talks about the challenges of preparing to take complex public [00:01:00] fields. He goes deep into how to be your own enemy and improve your ideas, plans and teams by seeing them from the other side of the board, as well as many other leadership lessons he learned from his time in the army.
[00:01:11] Jason and I first met in math class during plebe year, and it's been fascinating watching him tackle really incredible challenges, both in and out of the military. Before we jump into it, feel free to check us out on LinkedIn and instagram@oldgradclubandonlineandoldgradclub.com. Now please enjoy this interview with Jason Crabtree.
[00:01:32] Thanks a lot for coming on the show. What we really want to kind of dig into today is, is all things complex and also how the hell we got to where we are today. So obviously great things have been happening with the company. But can you take us back to the founding of the company, how you started it, maybe a little bit, the background of the relationship with you and Andrew, and then also, where is it today versus what you really thought it was going to be in?
[00:01:59] Jason: [00:01:59] Yeah, [00:02:00] sure. I think complex was founded in 2014. Really? We were 2015 as a C corporation, but it really came out of a collaboration with my co-founder Andrew Sellers that you mentioned. And Andrew and I actually met at Oxford. And so he and I ended up becoming friends over some long discussions and a few drinks thinking about some of the challenges with cyber security with, with AI, with, uh, thinking about what, what was the future in this world?
[00:02:25] Or if you had all this information, it was just hanging out on the. You started to do stuff with it, or if you could create it and some of it might be fake. Well, what would that mean? And you know, at the time we were in both in grad school, we both went back and finished our active duty service obligations for the government and, you know, Actually ended up meeting each other.
[00:02:43] Again, I went to Afghanistan, he was in Iraq. He ended up doing chief architecture work for the air force, redesigning some of the core networks, core services, core systems, analytics stack, et cetera. And I was on the army side instead of the air force, obviously. So ended up thinking about it. Sort of the future of [00:03:00] cybersecurity.
[00:03:00] I ended up at cyber command. And so it was funny because when he was at the air force side, I was, you know, on the other side of the aisle, if you will, and working on a lot of the big data infrastructure, the, the sort of systemic risk modeling war gaming, if you will, and cybersecurity problems for cyber command and NSA.
[00:03:18] And when he, and I just kept coming back to again and again, and again, was that. Data infrastructure. And that the identity infrastructure that was used across corporate America and across the government was just fundamentally wrong. It was at risk and it was going to lead to really massive breaches. And we left right as that started to occur.
[00:03:35] Right. So one of the kinds of breaches that you saw in 2014 office personnel management, SFAT six forums go to China. Right. That was a, that was the first time that you saw what you're now seeing and most ransomware events, and you're seeing it. And you know, the solar winds events when Russia is owning the federal government again and DOJ, IOT, et cetera, all exactly the same stuff.
[00:03:54] So that was, that was part of why he and I ended up starting a business together and left active duty to go out and try and build this [00:04:00] data infrastructure, this real time streaming analytics infrastructure that we thought was necessary for this niche use case of can you solve identity and security?
[00:04:07] Can you make sure that authentication is real? Can you make sure that, that you can actually trust. And then, but more broadly, it was this bigger idea that risk and data are kind of a fundamental part of the future in a digital world. And I don't know, I think that's something that I think we're we're as a society, just beginning to come to grips with what that means.
[00:04:25] Eddie: [00:04:25] Oh, totally. Is just Jason. Like there's so much stuff in the press I was reading like the journal, I think, had something this morning about like all these hospitals that are getting hacked and held, you know, that's terrifying, right? Because it's people's lives literally at stake. Um, and then you had all these other ones that are.
[00:04:41] Bitcoin's obviously a huge piece of this in the news lately. Um, when it comes to how these ransomware payments are made, are the headlines. Um, apparent today or has this always been as big a problem as it is today? Like I'm trying to like digest in my mind whether or not this is always been [00:05:00] this big a problem, or it's just that, like, there's been an uptick in things just, you know, are just hitting the
[00:05:05] Jason: [00:05:05] press.
[00:05:06] Yeah. So I think the reality is that a lot of the cyber attacks that you're seeing now are certainly getting a lot more coverage and in part that's because. You know, these organizations went after things that we're all experiencing together. Right. I mean, they went after our burgers. Right. They, you know, they're, they're bastards now.
[00:05:24] I mean, there are, there are, there's gotta be alive somewhere, right. You know, or burgers and fuel. And, you know, are there things though that get consumers are connecting to because it's something that everybody experienced simultaneously. Remember, there were big, big hospital attacks this last year. Right?
[00:05:41] So UHS huge. Right? You
[00:05:43] Eddie: [00:05:43] mentioned you realize until I read some of these articles, if there is just an massive number of hospitals, That are, I just wonder if people who are losing can injured or dying because of it. I mean, that's absolutely mad. So I
[00:05:55] Jason: [00:05:55] think one of the challenges has been that it just keeps getting treated as a geek [00:06:00] issue, right?
[00:06:01] Oh, that's, uh, that's the computer people and, and, and some of the folks in it and security have liked that for a long time. Right. It's I think people thought it was fun to be the wizard. It turns out though that if you're in a world that's completely digitally native. You heard, you're now completely hostage.
[00:06:17] If you are not able to use these systems, this isn't something where you can just fall back easily anymore. And I think that's really, really different now than it was five years ago than it was 10 years ago that it was 20 years ago. And I think part of this is just that society is just starting to grapple with the fact that we're entirely dependent on our digital infrastructure and in a digital world.
[00:06:38] Risk is a consequence of dependence. So if you could be deprived of this, you have to start behaving differently. How do you prevent it? How do you think about it in terms of business continuity? How do you do all these other pieces? The one thing I'll say though, is the attack techniques they're actually being used, right?
[00:06:52] They're the same, right? 2014 and 2021. Aren't seeing that many things that are different in terms of how the bad guys are [00:07:00] behaving. Interesting. It's just that the bad guys can now get paid for Bitcoin. It's easier to move money. It's just, now that the bad guys are having access to this stuff, they can scan the internet a lot easier.
[00:07:08] The tools are a lot better. There's lots of free stuff that you get out there. That'll help you join the criminal enterprise. And I think the last part is, remember this isn't like one person finds you. Yeah. This is a, a sophisticated criminal supply chain. There are people who scan. The world to look for vulnerable companies.
[00:07:26] There are people who exploit those companies to gain initial access. They then sell the initial access to people who move across the network and compromise the core identity infrastructure to gain administrative rights. And then once they have dominance, once they own the network, they either push ransomware or they sell user rights or they sell a backdoor simplistically.
[00:07:46] And then there are people who specialize in it. And they come on to actually run the negotiations and handle the money. That's what this is. This is a supply chain, just like selling a consumer. Good. It's just a slightly more negative one. And
[00:07:58] Eddie: [00:07:58] Jason, are you saying that when you say [00:08:00] there's people like these, these different stakeholders within these criminal enterprises essentially are.
[00:08:06] They're all in different organizations.
[00:08:08] Jason: [00:08:08] So this is more like an affiliate network. And a lot of these cases, it's a Federation of people that have unique talents and sell access, no different than a business that's selling. Some particular goods has different types of logistics in advertising and marketing and fulfillment and payment providers.
[00:08:25] That that same thing exists for ransomware. And so this is a part of a broader theme of digital fraud, identity, fraud, harvesting, right? All of these things that are going on. It just happens to be a really lucrative one. When you have JBS paying 11 million, you've got co colonial paying 4.4. And I think a lot of people thought that was.
[00:08:44] That's not even the big ones, right? CNA financial $40 million or handsome earlier this year. I mean, those are much, much larger.
[00:08:50] Eddie: [00:08:50] I think the journal was saying that all the combined total that hospitals have paid out is over a hundred million dollars. There's just a lot of money at stake, not to pull too much on this thread of who's [00:09:00] doing these things, but are they in America or.
[00:09:03] Who are these people? I'm like, where are they?
[00:09:04] Jason: [00:09:04] Yeah. So I think that the vast majority of ransomware groups continue to be sort of finding a call it a physical sanctuary and, you know, Russia and, and sort of Russian influence states. And I think that's interesting vastly supported by the data. So Conti right, that hit the Irish health organization revival.
[00:09:24] You've got dark side, like colonial, right. That group. Right. There's and there's a bunch of these. And I think one of the things that I think we've, we've done a disservice on is we've, we've sort of. Glamorize these things, right? So there's some, like there's folks out there naming of pinchy, spider, and you know, uh, you've got, you know, wizard spider, and you've got all these groups and, and it honestly, it makes them sound even scarier.
[00:09:44] Right. And I remember that a lot of organizations that get hit by these actors, they don't want the world to know that. And there are. And so that's part of what gets used against companies is there's, there's sort of negative stigma about acknowledging that this is happening to you. And, and I think [00:10:00] we've, we've got to do a better, a better job of holding people accountable because a lot of these folks don't defend themselves very well, but at the same time, to be honest, we've got to do a much better job at bringing the fight through legal means to these kinds of organizations that are disrupting the system.
[00:10:12] Eddie: [00:10:12] Yeah. I mean, they're, they really are in like how you had mentioned earlier. They're hitting us in areas that are very apparently and affect the average person, whether it's medical or whether it's oil or whether it's burgers, like holy crap, love to rewind a little bit. The nature of this conversation is kind of cool.
[00:10:29] Like you're leading a company that's about to go public and. You're in some ways like saving the world, which is kind of cool in, in a very digital way. What brought you here? I think it's cool that we had, you know, plead math together, but you were the first captain at west point. Rhode scholar did really interesting things in the military.
[00:10:49] And then now you're, you're the founder of complex, which is a great success. One question I'd like to ask is what are some habits that have allowed you to consistently be [00:11:00] successful in doing. Arenas of your life?
[00:11:04] Jason: [00:11:04] Um, well I think a lot of what I think about, and frankly, a lot of the reason why I ended up in information security is it's, uh, an incredibly dynamic, fast moving area, right?
[00:11:17] Risk is, uh, fluid, especially risk when you're trying to manage risk for organizations that are facing a sentient human adversary. Right? I mean, there's someone thinking about how to attack. This isn't, this isn't like defending yourself from hurricanes or thinking about tornadoes or things like that.
[00:11:36] Right. That there's still sort of some difference. I think in thinking about this kind of peril, where, where you're fighting with people and, and I think it's also where you're a defense. And for most organizations, they don't get to fight back. And there's a lot of reasons why they shouldn't. Um, this isn't a hack back thing.
[00:11:54] We're not going to worry. I'm going to get sucked into that black hole. But I, I think the, the reality is that if you are an [00:12:00] organization, that's just trying to go about your business and service your customers. That's something that everybody needs access to. And I think one of the reasons why. For Andrew and I, when we were working with defense and intelligence.
[00:12:09] So we were working with some of the biggest banks in the world, and
[00:12:11] we're
[00:12:12] Jason: [00:12:12] learning about how some of the most sophisticated organizations were trying to defend against this stuff. We realized that that capability set was the way it was being done was unequivocally not going to scale for the world. It was very manual.
[00:12:28] When
[00:12:28] Eddie: [00:12:28] you talk about defending and you talk about being able to like, have that back and forth with the enemy or bad enemies or whatever it is. Are there any parallels that you drew from. At west point, you were training to become an officer to defend the country. You as a young military officer, you were deployed in combat to do essentially the mission right.
[00:12:49] Of defending. And now you're doing it a company that's. Are there any parallels between that or is it coincidentally? Like how do you think about that and what drives you in what you choose to do? And then [00:13:00] also maybe what, what allows you to be. Always Excel in what you're doing.
[00:13:04] Jason: [00:13:04] I mean, I think for me, like curiosity is part of this and I think the other part of it is thinking really adversarially, if you can put yourself in somebody else's shoes, the person who's trying to attack into your network, the person who's trying to attack, you know, I was an infantry officer, right.
[00:13:18] But the person who's trying to attack your small unit, you can go back to your military science classes at the academy at the gig about operational planning. Think about spinning the board around and sitting on the other side of it and saying, how, how would I be. And I think if you do that really well, I think there's a lot of reasons why being your own enemy in that context is something that's a really valuable skill for thinking aggressively about how to improve your own ideas about your own plan on improve your own team.
[00:13:46] And I think that's something that is at the core in cybersecurity and information security. And I think the other part. If you're really curious and you want to learn all the time. I think you've got a good shot at figuring out what's becoming important and reassessing. [00:14:00] What was important two years ago, or three years ago, or five years ago might not be important anymore.
[00:14:05] And so I think this idea that you have to continually say, what are my assumptions? Are those still valid? What are my constraints? Are those valid ones. Are they real constraints? Are they self-imposed are these self-imposed limits? And what are the goals that I'm looking at? And then can you articulate an end state?
[00:14:21] And can you identify some of the key steps along the way? And then can you actually go build a team that cares about the end state that cares about the mission enough to go do that? And I think for me, a lot of things that that came through, whether it was the west point experience or being a military officer, a lot of them remain intensely applicable.
[00:14:38] This is mostly about convincing a group of people. To rally around a mission and hopefully it's a good mission. I think, I think we have one of the best missions in the world that complex, which is what I find really fun about it. But if you can keep bringing people together to say we're a home for talent, in our case, we want to be the best in the world at risk for a connected world.
[00:14:59] And [00:15:00] using data to actually simplify data so that you can actually transform your risk into competitive advantage into something that's going to help you outperform your competition to operate when your, your, your peers go down to be there when your clients need you even under duress. And I think everything that I've been doing and, and antagonize, you know, collaboration building this business has been around that.
[00:15:19] And, and that's why I didn't be behind. I guess I'm wearing a different logo, but it doesn't feel very different than when I wore the uniform. It's I guess I probably have a little less paperwork to do when I travel though.
[00:15:30] Eddie: [00:15:30] Oh my gosh. I always thought it was, yeah. We w not to digress into the old army days and, and all the paperwork and the silly things that I feel like just seemed ridiculous right now, but let's super cool.
[00:15:44] And how do you think about that? Because. You left the military. How many years have you, how many years out are you? Uh,
[00:15:50] Jason: [00:15:50] after certainly success? I don't know. I left in 2014. So that many, uh, seven, seven this fall. Yeah, this year
[00:15:58] Eddie: [00:15:58] I left, I left in [00:16:00] 13. It's funny how quickly life changes. Right. But it's, it's only been like six years.
[00:16:05] You got out, you started a company. At that point, he was probably a pretty small team. You, you had talked a little bit in the military were always leading teams, right. And it's, it's crazy how, as a, as a Lieutenant, you come in and you were given this great responsibility that most people in the private sector probably never, never lead a team.
[00:16:22] The size that, that, uh, perhaps a Lieutenant does now, you've grown it to an entity that how many people does complexity now? Um,
[00:16:29] Jason: [00:16:29] we're a few hundred. We'll be, we'll be about 600, uh, this summer
[00:16:33] Eddie: [00:16:33] and it's growing rapidly. Yeah. What have you learned that's different in growing the team in the private sector versus growing or having the team?
[00:16:43] I guess that we had is as you know, young officers in the military.
[00:16:47] Jason: [00:16:47] So I'm a big believer that you always want to try and get the most out of the team you have, um, regardless of whether or not it's the team you want. And I think one of the things that the military is really good at it, [00:17:00] helping people think through it, Here you go make the most of it, right?
[00:17:03] How far can you get? And I think in building a company, especially from the ground up. You have to recruit that initial team. And we were really fortunate. We had some wonderful people that joined our business early. We were tremendously lucky for that. We had some, some wonderful investors and sponsors and partners that helped us recruit some great staff.
[00:17:20] And, and that, that gave us, I felt like a leg up maybe, but every time that we've gotten better as a business that we've gotten bigger. We could attract better talent. We could start to improve, pay and benefits. We could start to do things that made us able to, I think, continue to attract better people on talent.
[00:17:36] I think that that's maybe one distinction for a company like, like the one that I run it complexes, you know, we're able to share. Our personnel strategy, maybe a lot more than, uh, what a lot of, of realistically line officers are effectively going to have the advantage to doing. And so we probably feel maybe a little bit more like, you know, maybe how some folks in SOCOM feel in the sense that [00:18:00] they can sort of draft talent, right.
[00:18:02] We're always trying to go out and draft talent into our organization and, and trying to offer the right incentives to get them there and then trying to keep them. But I think the fundamental piece still goes back to, do you have a mission? Do you have. Folks want to be around. And are you building in particular as you scale, are you building middle management layers who are so important to the quality of the experience as an employee employer?
[00:18:25] In our case, a customer is going to have, and if you aren't, you're not going to be successful. So we think a lot now, as we're starting to grow more and more. About how is it that those, what would be the equivalence of those Italian commanders or company commanders that could have a really positive or really negative impact on the underlying team?
[00:18:42] Are we doing the right thing to make sure that those people are exuding all of the kinds of behaviors and whether those are personality and leadership and character behaviors that we want to see and think represent our values. This is a
[00:18:53] Eddie: [00:18:53] team. My thesis is as I'm talking to more and more. Military veterans that were successful, both in the [00:19:00] military and it's scaling really large civilian or private sector organizations is that skillset is super valuable to lead large organizations as complex as becoming a significantly large organization here.
[00:19:12] So what other insights, um, do you have based off of your experience, um, in the military that have helped you really build like a larger.
[00:19:22] Jason: [00:19:22] I think one of the things that was good for me that I think I got a really intense crash course in, in part, just because of when I did get some intense mentoring from general counsel and some other folks when, when he was coming and I was the first captain and Mike Lennington and some others was maybe a really early crash course and things about the difference between small team leadership and organizational.
[00:19:44] Interesting. And, and I, I think when you think about managing direct reports and you think about the team leader, the squad leader kind of equivalent, and you can shape a lot of what those people do every day. So you're, you might be intensely aware of the inner workings of how they spend their [00:20:00] time. And I think the same, thing's true in business, right?
[00:20:02] When we started our company, right. Andrew and I borrowed money, we put everything we had and just started this thing and we raised a tiny little bit of money to get going. We were directly managing every individual contributor in the business. And I think that's very different than when we were 75 people.
[00:20:17] And we had some folks helping us manage them. And that was very different. We were 150 and 250. And so when you start thinking about the fact that your touch points, the number of interactions you get with every interview, It's different. The level of control over hiring that you have is going to be different.
[00:20:33] The level of control over quality assurance on their work is different, right? You start shipping product that you've never seen. You start having deliverables, go in front of clients that you've, you've never, proof-read, that's a massively different experience. And I think for me, I actually really like trying to work with senior leaders to coach our senior teams through.
[00:20:52] Shared performance and other pieces. And, and I was very fortunate. I think that some of the questions that I got to see Buster Hagenbeck and others [00:21:00] ask and ask me when during that time, I think stuck with me later. And, and frankly, I got the same kind of mentorship and, and was very fortunate when I worked at cyber command for Lieutenant general, red Hernandez and Lieutenant general and Cardona, and then BG Paul Nakasone, who's now over at NSA now, now full general, but you know, some of those people that.
[00:21:17] I got to watch an action firsthand and worked for and get coached by for things I did well or didn't do well at different times on their behalf as part of their teams, that changed how I behave. And I'm very, very fortunate, I think, to have had some of those direct opportunities that. Maybe earlier in my career, then I'll then, then a lot of folks have the opportunity for, but I think that's one of the things that, you know, think about the difference in the questions that you ask.
[00:21:42] Yeah. And I think asking really intelligent probing questions is as in a larger organization, becomes an increasingly important for you to really pull out the best from your team and to get them to take ownership of what they're trying to accomplish. Yeah.
[00:21:57] Eddie: [00:21:57] Yeah. I think that that's a [00:22:00] great insights, I think.
[00:22:01] Yeah. It's weird because in the military, it's kind of expected that you're going to get to a certain degree, a certain level in the military where you manage like, uh, like significant number of people, hundreds of people, if you stay in long enough, the private sector, most people never really manage that many people.
[00:22:18] Um, but the, the lessons I think are super helpful on both sides of that. And so maybe we can focus a little bit more on complex here. Cause I, I think. Ransomware is a huge topic in the news. You all are really well situated in, in the fight against it. Um, how do you think about who else is out there? Like who do you compete with, like in enterprise software that also combats the same problem.
[00:22:49] Um, and why do you do it differently? Like, what are the, what's the approach that's allowing you to be really successful these days?
[00:22:55] Jason: [00:22:55] I think you're seeing, you know, even if you look at the president's recent executive order [00:23:00] on moving to zero trust among other things, I think people have recognized that security and these modern networks have to be treated maybe bit differently back to that theory.
[00:23:10] Know, managing digital dependence. That means managing risks. This is now a mission critical thing. You don't fight as well. You don't move as well. You don't operate as well if it's taken away from you. But one of the things that a lot of folks miss, well, I think when it comes to security, types of issues is what are the assumptions?
[00:23:25] What's the equivalent of gravity in the digital space. And it turns out that authentication, right. Identity and authentication are at the core. Of every single security control and operational decision-making. If you can be whoever you want to be on the network and you can impersonate anyone you want to be well, that's pretty scary.
[00:23:44] That means that you can decide that you, you are the commander in Afghanistan or that you are the commander of, of a specific fleet. And I, and I think that this idea that you want to know who did what to whom and when. Most of, of amassing force and doing this even in the military [00:24:00] context is the coordination of assets and time and space to achieve a specific, desired effect.
[00:24:04] So in, in our case, and or in the commercial space as an executive who runs ops, that's what you're going for. And I guess complex in part of our theory was that if you want to do that really well and do it at scale, you really need to have this, this Lego kit and way that we talk about it, to eat all this data.
[00:24:21] To operate in a really, really quickly and at scale so that you can actually try and say, Hey, what's the stuff I care about. Where is it? Is it healthy? Is it not? And how might it change in the future? And the first use case we took on was this active directory and identity. And in a case that you're seeing in ransomware in espionage, I think the core, the core thing that we look at is, is kind of as simple as this, most people in cybersecurity are telling you, Hey, we sell, you know, firewalls for the perimeter, or we sell endpoint devices for this.
[00:24:48] Uh, we'll sell you an identity provider and that's going to be easier to trust and, and none of that Sarah trust and it's all necessary ingredients of zero trust. Yeah, but if you want to have zero trust, it really [00:25:00] means a hundred percent trust and identity. And that goes back to a very familiar, maximum that you remember from our academy days, which is trust, but verify.
[00:25:07] And if you think about our business, in some ways it's as simple as that is trust, but verify we do the verify so good, but you damn well better inspect what you want to see done. And if you don't, you're going to be really disappointed. So that's why we say, Hey, is that a real log-on? Is it not? Is it, is it, is it fake?
[00:25:23] Is it foraged? And that was sort of the beginning. I think of, of thinking about, do you have trust in and in the networks, that's move all your data and do the, you then trust them. So that that's that's I think what started Andrew and I, when, when we realized we needed to kind of flip this thing around and behave a little bit differently.
[00:25:39] Yeah.
[00:25:39] Eddie: [00:25:39] Awesome. And you've made some acquisitions along the way, right? With, uh, center Hyperion gray, uh, how much of it is kind of homegrown and then. This is MNA, uh, with what you're really going to go out to market with when you, when you end up by, you know, going public
[00:25:55] Jason: [00:25:55] we've done is we've just continued to, to build an, a mass core, talent [00:26:00] and technology.
[00:26:00] And I think if you look at complex, complex core business is all around having this really tremendously fast, powerful data engine that eats and ingests and contextualize information at massive scale. And, and that's the core of it. It's the core of our business. But what we started to do was build these applications and cybersecurity insurance and risk Hyperion.
[00:26:19] Gray's a great example. I mean, known the founder, Alex for a long time, he and I actually knew each other from some of the DARPA programs that he used to support. Right. So he was doing a lot of work for the government on DARPA side. And that's how we originally met. And they were helping crawl the web for dark web to catch child predators.
[00:26:35] They were out there building open-source intelligence databases. They were out there doing all kinds of really important things for the government. And he had, uh, several different types of technology assets that we thought were fundamental to helping map the internet. To understand what types of breach data was out there before.
[00:26:50] One of the largest breach data sets in the world, some really awesome vulnerability scanners. So you could start to engage how dangerous a trip on the web was. And so we brought him in his [00:27:00] team is part of complex in part to help us understand how to kind of map the terrain out there in the internet.
[00:27:06] And that's been just fantastic and is informing all of our commercial products and also the government products and parts like center center was part of us expanding back to where we are. Complex had focused since we left the government exclusively effectively on, on the, the actual commercial side of the world.
[00:27:23] And part of what we wanted to do by partnering with the center, our founders and leadership, and bringing them into the complex organization was to give us access again, you know, classified contracts, vehicles, and, and facilities. Clarence is a tremendously powerful team. That's now able to help complex bring some really great technology where we're doing exactly the same thing.
[00:27:42] The government was missing to detect solar winds and other things. And bringing that back into the government, across the federal agencies, both military intelligence and civilian. And so I think it's really not any different, what we've been doing before or after. The listing process here for us with the spec, you know, IPO D [00:28:00] spec process, uh, you know, the main thing for us has been just really about how can we be a home for talent?
[00:28:04] Can we focus on the mission? Can we try and bring that to scale, to democratize access? Yeah. And are you
[00:28:10] Eddie: [00:28:10] keeping center and high and gray? Are they going to be kind of independent entities under complex, or is it going to be, is everything going to kind of fold in together? Like what is the structure of the organization after, after
[00:28:21] Jason: [00:28:21] those?
[00:28:21] I mean, from a business perspective, right? Complex is a really unified, integrated business. I think from an execution perspective, we're running all of our government business through the center, legal entities and those pieces in, in simple terms, because it's a key part of it. You know, maintaining facilities, clearances, meeting all of our obligations.
[00:28:37] So, but the reality is complex is big enough business that we have multiple us subsidiaries. We have international subsidiaries, we have different subsidiaries for different sort of regulatory purposes, et cetera. So from a business perspective, it's really one unified business strategy to bring the same cyber security and insurance and operations technologies to commercial and government clients.
[00:28:57] From a legal perspective, there's a little bit more under the hood [00:29:00] to pull that off in practice.
[00:29:02] Eddie: [00:29:02] I've talked to a lot of founders that with that, that have hyper-growth type companies and it's hard to keep track. And sometimes with the organizations that they're leading, I imagine you're something of a, a similar boat as you prepare to, to, to go public.
[00:29:14] But how do you think about the future for where both the, the company that you have as well as the problem that you're trying to solve is this only going to get worse and this being ransomware. It's obviously hitting the press. It's hitting us where it kind of hurts as a society, but if you're successful, does this problem mitigate itself or does it go away in some degree in the next few years?
[00:29:35] Or is it, I mean, where do we look in three years? And what, what does this look like?
[00:29:41] Jason: [00:29:41] I think one of the first things is that cybersecurity and frankly, the broader topic of risk, because we have experts here and we have experts. Modeling hurricanes and other kinds of natural calamities as well as, uh, digital ones.
[00:29:55] So we have, we have both. And, and I think one of the reasons that we did that is that [00:30:00] we have this real belief that understanding your digital and physical dependencies and managing your physical and digital risks needs to be unified. This is about operational risk in your business. This is can you, can you operate under duress?
[00:30:13] And I think that's the real, the real meaning of resilience is ultimately, do you degrade gracefully? Is this a on-off light switch problem, or is this something where you understand the performance envelope? You understand the hypothetical futures that you can be effective under and the relative degradation of performance as you get into increasingly uncomfortable ones.
[00:30:32] And so for me, I think that that broader topic in cyber is just a particularly poignant and invisible example of it is, is really a it's a wicked problem. It's never going away. There is no right answer. There is no perfect solution. This is about consistently doing battle with the mix of bad actors and just challenges inherent and in the scale and complexity of modern [00:31:00] organizations and technologies, the internet went down a couple, couple of weeks ago here at Fastly, right?
[00:31:03] You know, for a short amount of time because of a software bug and a configuration error that brought down a bunch of big websites around them that stuff's not going to change. And so with that backdrop, I think complex is really just trying to say, can you map what you care about? Can you guess, or estimate the state of all the things you care about right now?
[00:31:20] And can you simulate a bunch of hypothetical futures? So you could do a better job of figuring out how to stay healthy. Despite sort of the vicissitudes, the, the variants, the, the unexpected. And I think the more that you do that, the better, and, but ransomware is going to get worse before it gets better.
[00:31:36] And I think complex is, is trying to solve more of the root issues, the root causes we're trying to do less of the topical piece and more of some of the fundamental issues is really about identity and, and owning the keys to the kingdom. That's why it's. So yeah,
[00:31:50] Eddie: [00:31:50] your mind can kind of naturally. Think about other areas or other verticals or other sectors of the economy where more complex can be effective, but it does seem like as a [00:32:00] society, we're going to be increasingly more reliant on technology and obviously 2020.
[00:32:05] And COVID accelerated a lot of that, but there's a lot to be really optimistic about of the area of the economy that you're really.
[00:32:13] Jason: [00:32:13] So, yeah, I think that's right out of, yeah, it turns out, I think. The more that we can do with technology, the more that we're going to be dependent on it. And at the end of the day, we have a lot of work to do as a society.
[00:32:25] And for us as a company to just continue to try and be constructive about what can technology accomplish for good, but being aware of how does it get abused or misused or what other. Byproducts come from those capabilities and thinking about how they get used offensively back to what you're asking earlier, you know, I think curiosity and thinking about spinning the board around and kind of playing against yourself.
[00:32:46] I think that's a fundamental requirement for this digital age.
[00:32:51] Eddie: [00:32:51] Yeah, for sure. And Jason, can you take us through specs in particular? It's been a big year for specs, right? And well, they've always been around [00:33:00] in some shape or form, and I know that you've worked or you're working with and continuing to work with, with bill Foley.
[00:33:05] Who's done this, I think quite a few times now, can you tell us a little bit about your learnings on the spec process? Like why you chose to take the company public vs back and what all these different complications and in different. Mechanisms in order for you to fund the company to accomplish the mission, which is really vital to, to how we survive as a society.
[00:33:28] And so. Yeah,
[00:33:30] Jason: [00:33:30] sure. So for us, Andrew and I started the company and, and we, we had to grow and, and we needed to make some really fundamental investments and really core, deep software technology. Right. We build really large scale distributed systems and that means big iron, right? Um, that's, it takes time.
[00:33:46] And, and, uh, so we invest in the business and we raised a lot of capital privately, right. And tens of millions of dollars went into R and D and. We started going to market and tens of millions of dollars more went to R and D and the same into building an [00:34:00] organization, sales and marketing and structure.
[00:34:02] And once we got to the point where we decided that we were going to make some acquisitions, we were going to grow our business. We want to invest even more on our products. We were successfully deployed and some of the biggest companies in the world, and we went. Bring this back to service, the national security side that we started in.
[00:34:15] And some things like that, we knew we were getting more capital. And so we looked at public and private options and one of the things, and one of the reasons why I had partnered with bill Foley and Kai holdings was, uh, several years ago, was in fact to get smarter about what would it take for us to grow into being a public.
[00:34:30] How would we need to invest in building the right kinds of operations and discipline and finance and compliance and legal understanding. There's a lot that goes into this and you can't just decide you want to do it. It took us years to actually build the systems and the people and, and, and the, the muscle memory, if you will.
[00:34:47] And, uh, so as we went through that whole process, we, we recognize that we were. Make some acquisitions. And we also, we're going to invest in our growth. And as a result of that, we ended up deciding to partner with a [00:35:00] really great SPAC. And, uh, we, we really enjoyed the management team was the right fit for us.
[00:35:04] And, but part of the reason why we got comfortable with the SPAC process was I had an opportunity to see how really disciplined value investors like bill. Had approached using SPACs to find great companies that should be available in public markets and helping them get there so they could access the capital they needed to grow, and they could, frankly, you just continue to retain and attract the talent they needed to operate, because I think there's a lot of great things about being a public company in terms of the kind of people that you can acquire and have be a part of your team.
[00:35:31] And so for me, there's really nothing different about our strategy. Now than there was before we realized or decided that we were going to partner with us back, um, we just made the decision that we could be a bit or business, a more longterm business, some more focused business by being a public business.
[00:35:51] And we thought that that was ended be a better fit for us and being a PE portfolio firm. And I think that's something that's been something we have to go prove every [00:36:00] day, but we're, we're glad about it. I think that's, that's a SPACs setting. We're going to be around in part because they provide real opportunities for great firms to go through a very disciplined process to hit the market.
[00:36:12] Yeah.
[00:36:12] Eddie: [00:36:12] And Jason, how much money have you all raised
[00:36:14] Jason: [00:36:14] to date? Currently had raised around $80 million of venture and private equity capital for its growth capital and building its fundamental technology. And then the tailwind spec. That's a word. Currently working with, and then we'll finish the DCE back up here soon.
[00:36:31] That's a $334 million back. And we, we went with tailwind tailwind raised a $180 million committed a pipe, which is a public investment in private placement rounds. So, so the pipe piece for us was, was something that we were very fortunate that fidelity and I had a Sophia and others came in alongside.
[00:36:49] Can I holdings that invest in us again to actually help anchor to our transaction as we went through the DCE back process.
[00:36:56] Eddie: [00:36:56] That's awesome. And with all of this extra money, [00:37:00] which is, it's a lot of money, um, does the mission broaden, um, I don't know if you've ever felt like you've been capital constrained.
[00:37:08] It seems like you've, you've always had the opportunity to thankfully have a lot of deep-pocketed individuals that have been supportive of, of yourself in the company. But this is, this is significantly more capital than you've had in the past. Does anything change from that front?
[00:37:22] Jason: [00:37:22] Well, I think the, the key thing for us is really a, again, I don't think anything really changes for us, right?
[00:37:27] We have, we have the same mission, which is to provide the best tools and expertise in the world to actually take an ingest and simplify this data and transform risk and cyber and insurance. Categories that we work in, happened to be where we focus that team. But I think remember some of what we're doing, especially some of our central team, I mean, these, these folks that we have as part of this, this broader organization are just tremendous.
[00:37:53] And so you see, do you see this combined business? Doing work on everything from operational technology and [00:38:00] industrial control systems on missile defense and Navy ships to securing the defense health organization, to working on big global banks that we support to some of the largest other healthcare.
[00:38:10] And we're working with utilities. I mean, there's just so many different parts of this, right? We work with some of the largest insurance and reinsurance companies in the world. I think our mission was, was so ambitious. Yeah. And what we're really trying to do is use these things like identity and authentication that are at the core of zero trust.
[00:38:25] And that's part of this big trend you're gonna see for years to come. We're using those to fuel building a better and better data engine and go back to grad school. And or now at Oxford saying, oh my God, so many of our top peers, so many of our top sort of academic coaches. They weren't going into national security.
[00:38:44] They weren't going into some of the missions that we thought were really important to help society do. Well. They were going into things like ads and that's okay. That's just, that's not what gets me out of bed for the morning. It wasn't, then it isn't now. And Andrew, and I thought, why isn't it a world that we're going to create?
[00:38:58] Where, [00:39:00] where our defense organizations, but also our I'll call it. Our, our, our core businesses should be able to access the same kind of talent and technical expertise that Amazon can. Because who's competing with Amazon. I think they've got big enough. Right? Let's let's go build infrastructure that allows lots of people to have sort of democratized access to this stuff.
[00:39:19] Just like we're trying to make, you know, security for everybody. A part of what complex is trying to bring out. It's not just the big people. It's, it's bigger than that.
[00:39:26] Eddie: [00:39:26] Yeah. It's a huge problem that we're trying to tackle. When we end these episodes. We'd like to ask our guests what's the future hold and how is it different because of what you all are doing?
[00:39:36] Well,
[00:39:36] Jason: [00:39:36] you know, I, I think, um, I certainly hope that the work that we're doing is actually going to make it. And in the world of security and I feel very good about the clients that we're working with, that we're, we're doing that for them and that we're going to do it for a lot of others, but we want to do that in this era where you can actually be hopeful about it.
[00:39:56] It's disappointing that ransomware is like this and the news. This is [00:40:00] solvable. This is fixable. This is stuff that we don't have to be experiencing. These negative consequences. If we're investing in the right kind of. Preventative measures, but mostly detection, response, rapid recovery, but you know, a big part of what complex is trying to do that it's different than being a security company.
[00:40:15] And this is why we're a risk business. We're a risk company is we are helping people understand, do I pay more to prevent stuff? Do I pay more to detect and respond to stuff? Am I buying insurance so I can recover? What's the ratio between these kinds of preventative, right? We would call them anticipatory investors.
[00:40:35] Or reactive route investments. And I think that this idea that we can help our clients and I think also help the government think about how much risk do we want, including in financial terms, as we think about resourcing and budgeting, because the government has to come up with a budget too. Yeah. It's so important that we can make this stuff pencil, because if you want utilities, if you want your local government, you want all these [00:41:00] people, remember ransomware is not just.
[00:41:02] It's the city of Atlanta. It's the city of Baltimore. It's all kinds of other people. And so if you want to actually help everybody prove to the taxpayer, prove to their shareholders, that they're doing the right amount of investment and their, their program is right sized for them. You have to show them how it hits them in the wallet.
[00:41:18] Not just that, that it's clear. I think the sooner we get there the better, and I hope that we're going to help usher in this era of really disciplined risk management that, that actually pencils and is in their self-interest to do.
[00:41:30] Eddie: [00:41:30] Gotcha. Yeah. That, that, that all makes a lot of sense. Jason, thank you so much for joining us on this session of the on point podcast.
[00:41:37] Um, thank you for listening in, um, really appreciate it.
[00:41:40] Jason: [00:41:40] Okay. Great to be here with you, Eddie. Thank you for listening to OnPoint. Please take a moment to rate and review the show. Wherever you're listening. It really helps. Also subscribe to our newsletter@oldgradclub.com and follow us on Instagram and LinkedIn at old grad club.
[00:41:58] We'll see you in the next episode. [00:42:00