Award-winning cybersecurity firm CyberGRX helps businesses minimize their exposure to third-party cyber threats.
See Kneip's Cybersecurity Tips for everyone at end of article.
You might find this hard to believe, says Fred Kneip ’92, but hackers are lazy. He knows this doesn’t sound right. Because in the news of late, it sounds like they’ve been busy. Security breaches, data leaks, ransomware—terms that we never knew existed a decade ago are now as familiar as the morning alarm clock, and no less jarring, because the companies we trusted behaved carelessly with our most personal details.
As the chief executive officer of an award-winning cybersecurity firm, Kneip understands this frustration better than most. What he will tell you is that companies understand it, too. The largest and most successful spend millions fortifying their networks against intensifying cyber threats. But that’s still not enough to safeguard against more than half of all breaches.
Take Apple, as a hypothetical. They make the iPhone. But in reality, they don’t really make anything. It’s their design for the iPhone that gets sent to manufacturers and suppliers, companies they trust, who compile the myriad components into that beloved smartphone. And Apple rightfully treats that design like the crown jewels, spending whatever is necessary on its in-house IT apparatus to keep the unblemished halo around it from getting penetrated by hackers, who want to make knockoff iPhones. And see, this is where the laziness comes in. The nicer word would be methodical. Hackers know they can’t scale the Apple fortress easily. But maybe one of those manufacturers, one of the partners to whom Apple sent its iPhone designs, maybe they are slightly more vulnerable, less rigorous, and less diligent about their network defenses; maybe there’s a way to steal the goods from them. Apple trusts its partners. But how can it be so sure?
Kneip began thinking about this problem while serving as the head of cybersecurity at Bridgewater Associates, a hedge fund in Westport, Connecticut, in 2014. Before that, he had spent seven years at the global consulting firm McKinsey & Company, traveling the world and talking with large industrial and manufacturing companies about their strategies and concerns. The threat of hacking wasn’t as blaring as it is today, but it was quickly coming on their radar. Kneip could see that the present cybersecurity procedures were unfit for the modern economy.
“In the last 10 to 20 years, the explosion of outsourcing has allowed people to focus on their own core competency and outsource the remainder—manufacturing and other things,” says Kneip. “That has accelerated business in ways we can’t even imagine.”
It has also made the global economy phenomenally more complex, and “companies are no longer self-contained,” says Kneip. “The term we use is a digital ecosystem. People aren’t cutting their own checks anymore; they use ADP. They don’t have their own in-house counsel; they’ve outsourced it to a law firm. Marketing tools will run all your analytics for you.”
The proliferation of business-to-business companies and third-party relationships has also widened companies’ bellies of exposure to possible attack. And hackers have noticed.
“The Dragonfly attacks on critical infrastructure,” says Kneip, referring to 2016 malware attacks allegedly perpetrated by Russian cyber actors on commercial energy facilities across the U.S., “if you read the notes between these guys, they’re actually saying, ‘OK, let’s find who the third parties are that supply the systems to these utilities; those are the guys we have to go after.’ It’s clear that this was an attack path of choice.”
How was Delta Airlines attacked in 2017, leading to a massive data breach of credit card information of up to 850,000 customers? A third-party chatbot on the carrier’s website. The problem is worsening: 57 percent of network breaches are now caused by third-party vendors.
Kneip saw that the way that companies determined the cybersecurity strengths or weaknesses of their downstream partners was by sending an Excel file questionnaire with questions like, “Do you update your software?”
“Then someone has to fill it out,” Kneip says. “And someone has to read that and respond and determine if that’s appropriate for their level of engagement. This is fine if you have 25 or 30 third parties, but a typical Fortune 500 company now has about 10,000.” (Kneip’s largest client, a multinational health-care conglomerate, has roughly 127,000.)
As he was thinking about this issue, around five years ago Kneip met Jay Leek, the chief information security officer at Blackstone Group, the investment giant. “He and I were talking,” Kneip says, “and he said, ‘I have this idea, would you be interested?’”
Leek held a quarterly conference call with companies within Blackstone’s portfolio, about 120 in all, including some as large as Hilton Hotels. About 90 percent of them, he realized, were using ADP as their payroll processor. Half of them were sending a team on site to ADP each year to do a security evaluation at a cost of around $5,000 to $10,000 apiece. “That’s 50 companies spending $10,000 each,” Kneip says. “He’s like, OK, that alone is ridiculous, and that’s just one company!”
Kneip had his epiphany. With Leek’s help, he started CyberGRX in Denver, Colorado, in 2015 with $9 million in funding. Just over four years later, the company has raised more than $100 million with the latest funding round led by ICONIQ Capital, an investment firm known for its ties to Mark Zuckerberg, and boasts 125 employees and over 100 enterprise clients, including Blackstone, ADP, Aetna, and MassMutual.
The GRX stands for Global Risk Exchange. Kneip’s company is a platform where clients and third parties can support each other, knowing the suppliers have had their cybersecurity procedures vetted and verified.
Instead of a large company sending out thousands of time-sucking questionnaires, or spending thousands to perform on-site security evaluations over and over, CyberGRX handles the due diligence and has partnered with Deloitte to perform validation. The results get shared onto the exchange for an enterprise to evaluate and monitor.
“A simple analogy,” Kneip says, “is if you had to raise capital in a debt market 100 years ago, every bank and investor would come and do their own due diligence, and it would be a nightmare process. Then there was the invention of these concepts called Standard & Poor’s, or Moody’s, or Fitch that will review all the detail and data around the financial stability of this company and give it a credit rating. People say, ‘OK, I’m going to go read that report and get everything I need.’ We’re providing effectively the same concept in cybersecurity.”
The platform saves a lot of headaches for the large clients, who now have the reports at their fingertips. It also benefits the third parties, more than 60,000 of whom, according to the company’s website, now can receive a single comprehensive assessment and then “never have to complete another spreadsheet again.” Kneip even talked to the team at Intuit who designed TurboTax to make the questionnaire process more tolerable. “We felt like if they could make tax preparation tolerable, somebody can help make a security questionnaire better,” Kneip jokes.
Each company’s individual answers to the questions are presented in a sortable dataset, which also helps the large clients scanning for vendors on the platform. “When you’ve got 4,000 third parties, you need to be able to sort and filter in some sort of way,” Kneip says. “Now you can filter by law firms or data protection controls or access management controls and index that against how much they bill. This helps them make decisions about who to work with.
“We call ourselves a dual-sided platform,” Kneip adds, “because it creates value on both sides.”
Kneip comes from a family of Tafties, including brothers Will ’96 and Robert ’04. He captained the squash team at Taft before studying civil engineering at Princeton and had never considered starting his own business. His career path, starting at Merrill Lynch out of college before getting into private equity and earning an MBA at Columbia University in 2004, took him to varying and disparate corners of finance and management, which at times left him gasping, “What am I doing here?” But that background also gave him tools to put his own stamp on something unique.
“I look back and, you know, I wish I’d gotten into startups or on the entrepreneurial track earlier on; it’s just so much more fun and fulfilling, and the energy is so great,” Kneip says. “But I’m happy with the trajectory. I wish I could tell you it was planned.”
His experiences at established global firms helped Kneip lay the foundation for what he’s most proud of about CyberGRX: the culture. He drew upon “a lot of things I liked about Bridgewater,” as well as “a lot of things I didn’t like.” There is also a fellow Taftie, Mark Herrlinger ’84, who serves as the company’s director of exchange services.
After being born and raised in Brooklyn and living mainly on the East Coast, Kneip has mostly adjusted to the altitude difference in Denver with his wife, Greer, and their three boys, Freddy (12), Rylan (9), and Graham (5), who enjoy skiing, hiking, and, of course, playing squash. “The family loves it,” Kneip jokes, “although at times I’m still winded going up stairs.”
Kneip says he wanted to build something that offered real value, made him excited to go to work every day, and posed problems on a recurring basis that were complex and stimulating. So far, he has checked all those boxes.
“I’ll never go back to a large organization again,” Kneip says. “This is without a doubt the most fun I’ve ever had.”
Zach Schonbrun ’05 is a senior editor for business and technology at The Week magazine and author of the book The Performance Cortex.