Tanium is a company that tends to challenge a lot of assumptions, both regarding what it does and how it operates.
The company makes software that helps IT managers at large companies check on the status of the thousands of PCs, servers, printers and other devices on their networks. The software might ask a desktop PC in a far-flung branch office if it has its latest Windows patch, or command a wonky server on the other side of the world to restart itself.
That sounds bland, but the importance of Tanium’s software can’t be overstated. It can handle these routine tasks faster and at a greater scale than anything that had come before. Quicker software also gives IT managers more time to focus on things like dealing with a hacking attack.
Tanium is the single largest investment from venture capital firm Andreessen Horowitz, which as of March had poured in a combined $142 million. In September, Tanium widened its circle of investors, taking $120 million from TPG, T. Rowe Price and IVP at a valuation said to be north of $3.5 billion. But as CTO Orion Hindawi tells it, Tanium doesn’t need the money, and nearly all of it is so far sitting in the bank untouched.
The founder and head tech guy spoke with Re/code about how the startup’s customers are dreaming up new ways to use its software, and what they plan to do with all that money.
An edited transcript of our conversation is below.
Re/code: Tanium has taken an unusual approach to how it raised its investment capital. By my count, you’ve taken more than $260 million in investments, but the first two rounds were only from Andreessen, and you were at first reticent to take capital from other outsiders. Why did you do it that way and what are you doing with all that money?
Orion Hindawi: We raised from Andreessen twice, and then we thought we were going to stop there. We have not touched any of the money we raised. We have $300 million in the bank and that’s growing from free cash flow. We’re not profitable on a GAAP basis because we’re trying to smooth out the revenue curve by deferring revenue intentionally. … When T. Rowe, TPG and IVP came in, it was because we wanted more voices in the room and we didn’t want a monoculture of viewpoints that tends to take hold at Silicon Valley companies. My friends warned me that they’re “New York financial guys,” and that was exactly what I wanted: Someone who will give me a deliberate perspective that is based on numbers and not based on us feeling good about ourselves.
Do you think Silicon Valley companies in general suffer from this monoculture of views that you’re trying to avoid?
Silicon Valley is, even today, very hubristic about its approach to business. So many Valley companies are convinced that every big company that exists today is going to disappear, and they’re going to replace them, and that is just not realistic. … We’ve got companies in Silicon Valley that are building replicas of the Oval Office and paying $6 a bottle to give their employees pink coconut water because they’re so high on themselves that they can’t imagine ever failing. … I was talking to one guy whose company has $8 million in annual revenue, and he’s spending $600,000 a year on a NetJets account flying himself around on private jets. … That guy should be laughed out of every room he walks into, and yet he’s getting kudos and pats on the back. I think there’s a big correction coming and a lot of the people around us are going to have to deal with that.
So if you have all this untouched money on the books, you clearly don’t need to raise another round or raise capital in an IPO. What is your next step from a capital perspective?
We will eventually do an IPO. We have the luxury of not having the timing imposed on us. I have friends who had to go public because they needed the capital and they had raised so much money but couldn’t get any more in the private markets. We don’t have to do that. I’m looking at the market right now and it doesn’t look like a friendly market.
Let’s talk about Tanium’s software. A customer installs it on their network and what happens?
What you find when you first install Tanium is that you are deficient in nearly every control that you thought you had. Maybe you thought you were patching your software 98 percent of the time, but it turns out you’re patching only 60 percent of the time. … Eventually, after using it for about six months, you realize you have the tool you need to figure out a lot of other things that you didn’t buy it for, and it starts pervading the way you collect data on your network. That’s where it gets exciting because when we define our next 10 add-on modules, the ideas come from our customers who are using it in ways we didn’t anticipate.
So the customers are basically developing new extensions to the product?
Exactly. We had one customer in the U.K. who found it had a lot of machines on its network that were not managed. People were bringing in home machines and plugging them into the network and bringing malware along with them. The customer figured out it could use Tanium to find out how many of these unmanaged machines were on the network. It wasn’t something our product did natively but they built a framework to do it. We looked at it and took over the development and now we have a module that can discover every unmanaged asset on a network.
Who are your biggest customers?
Financial companies are a huge vertical for us. It ties directly to the big breaches in the news. They’re not the people who’ve been breached, but their peers who don’t want to be next. You look at what happened at J.P. Morgan and the entire financial industry woke up. The Target breach woke up all of retail, which is our second-biggest business on the commercial side. Our federal government business is about the same size as financial services but growing faster.
Does your work with government agencies give you any insight into why the federal government sucks so badly at security?.
In general, they set weak goals that would be considered unacceptable in the private sector. There’s a federal project to continuously monitor systems for vulnerabilities. A key step in that process is gathering data. The goal was to collect status data every one to three days. But if you succeed in getting three-day-old data you will fail at protecting your environment.
In a commercial setting, data that is three hours old is unacceptable and most are aiming for 15 or 20 seconds. At the federal level, people setting the goals are afraid of protests from large vendors so they set their goals at the lowest common denominator. The federal government should say it wants more security than the most secure bank in the world. Instead it adopts standards that would give the security officer of any Wall Street bank a heart attack.
This article originally appeared on Recode.net.