Security Program Controls/Technologies, Leadership, RSAC

Island founder Mike Fey talks future acquisitions, and swearing off the phrase ‘secure browser’

Island co-founder and CEO Mike Fey, left, and Dan Amiga, co-founder and CTO (Credit: Island)

The Enterprise Browser is the concept introduced by Island in February when it emerged from stealth, promising the ability to leverage the browser to "fully control the last mile" of application and data protection, from basic exfiltration to more advanced security demands like smart network routing and multi-factor authentication insertion. A month later, Island raised $115 million in its Series B financing round at a $1.3 billion valuation. 

The concept caught on quickly — more quickly than even CEO Mike Fey anticipated, he told SC Media during an interview at the RSA Conference. Just don't call it a "secure browser."

Island has experienced pretty rapid growth — now at unicorn status. We spoke to you about the latest funding round in March, but give me the rundown on that ride so far.

As a startup, you always define an aggressive business plan and go raise your investments on that. We thought it would take longer for people to say “this is new, but we're open to it.” The speed and willingness to engage is very high. We were able to literally rip a year out of the business plan.

The difference is we don't have to take over the whole company. With most tools, you only want one endpoint tool at a time — you only want one network tool at a time. We engage usually [in phases] — let's protect the call center, let's protect the BYOD user, let's protect the contractor relationship. And so they can pick and choose where to start with us. That allows people to engage faster than they normally would with a startup where they might say “Wait, I'm going to put my whole company on you?" We're able to prove our worth, which then sets us up for the following year of the expansion deal. We're able to feed the engine and know where our pipeline's coming from.

Also, we're not asking people to rip their browsers out. We can sit side by side. We can run just when you need us to. I say, “All right, start using my browser. Tell me if there's anything wrong. If there's anything wrong, you go back to your old way.” Then over time I can start to turn off features, have those instead start to show up an Island. I can bring you on that journey.

So you ease them in.

There's an openness to rethink the approach — what would it be like if we controlled the browser? That's taking on a life of its own where a lot outside our company are now coming up with things that can be done using this approach. That allowed us to say "all right, let's double down. Let's go faster." The risk is low. Most of our projects are self-funding. In other words, they're displacing enough complexity and additional tech. I've yet to have a customer say, “Listen, my budget got cut, I can't do this this year.” If anything it's, “Hey, I'm expecting a budget cut. We need to get this other stuff out of here now.”

The concept of a secure endpoint has usually meant a ridiculous end user experience. And so that's actually one of the reason we've been very careful with our message to not use “secure browser.” We think that's a really bad nomenclature because of what's been done to the browser in the past to be secure, like put in a hypervisor and do all this horrible stuff to it. We literally took the Chromium open source project and turned it enterprise. That's all we did.

It's a simple concept, but it's an expensive one to build. It's taken a lot of cash.

Where do you see the target market?

We always felt very good about the enterprise, the larger organizations and our ability to add value to their stack and shrink it. But we have had amazing results with the mid-market. We have a bank that has endpoint protection and us — and that is the entire security stack now. It’s the mid-market’s ability to say, “wait a second, we were born in the cloud. If my browser understands that, and this can deliver the whole security for that cloud layer, why do I do all this other stuff?”

So the mid-market has its own narrative. We're starting to fund that mid-market approach. And then the federal government, as well.

Give me more specifics on the advantage of enterprise versus mid-market. Do they see a different benefit?

So the mid-market customers are not sitting there with a hundred tools, all overlapping, lots of waste. And I don't mean to describe every enterprise like it's horrible, but they picked up a lot of tools. And a lot of tools for a lot of one-off reasons. The mid-market, the born-in-the-cloud guys, they're just getting to that point in their journey where they're going, “OK, what am I going to do?” It’s equivalent to a society waking up and going, “Screw this landline stuff, I'm just going to go to 5G. This is way easier.”

So we're doing fairly large transactions at smaller organizations, which is really encouraging because it tells us the whole entire stack is a real opportunity for me.

So the mid-market is about evolving into what they need. The enterprise is about taking on new challenges, reducing risk on certain platforms.

Managing components of what they have.

Yeah. Contractors, BYOD, call centers. People's eyes open up when they realize you could be a banking call center and never have to see any PII data. You call me up, I bring up your information in the browser, the browser masks it, but I can still work with it. It's also, “Wait, I could have an entire call center that never comes in contact with critical data, doing financial transactions.”

What's your end game? Do you anticipate looking towards potential acquisition, either being acquired or perhaps acquiring other companies? Do you anticipate or hope for an IPO?

So it's funny, I've only left companies I've been acquired from. I build organizations I want to be a part of. And after building one from the ground up with all these amazing people I've met over the years, the idea of swapping it out for some marginal gain isn't there to me. We really think this is an idea that can be a meaningful company, long-term. So we like to think that IPO is where we would go. On the flip side, I wouldn't mind being a very large private company.

Well, and economically right now, most say it’s not the greatest timing for an IPO.

But that's still a good distance out for us. We're very fortunate with over $200 million funding that we can just grow and thrive, and our backers have made it clear there's more if we need it. But we're not looking to be a tuck in for anyone. We're not saying no to acquisitions but we're not looking for them.

What would be the best fit if you did make a buy?

There’s a lot. And we will acquire down the road. Think about all these different features that could be in the browser. What separates them when they're standalone companies — the difference between the No. 5 vendor and the No. 1 vendor — just dissolves if that feature was built directly into the browser.

Take something that maybe today isn't No. 1, because it doesn't have the best delivery system or the best UI. Well integrated with Island, you don't need a UI or a delivery system; the browser takes care of that. So there's a lot out there that we'll be looking at and we signed up with the [investors] we signed up with because they were open to financing such progressive maneuvers. Insight and Sequoia and Stripes are all the type that are willing to double down on a property they trust. And they have made it clear to us that we should keep a wide aperture in how we become the company we need to be.

So you said no acquisition now — but you also seem to have targets in mind. What timeline are you thinking?

Obviously if the market brings us a bunch of things in the clearance aisle, it may move things forward. But I personally would like to continue with what we're doing for the next year or so before I bring in the complexity of an acquisition. But opportunities are opportunities, so we'll look at what happens.

Great. Anything we miss?

We hit the bulk of it. I’d just say that we’re well positioned for people that are asking, “How do I handle this economic downturn and raise my security posture?” And that was dumb luck in terms of timing. ROI is a difficult statement in cybersecurity. We instead want to be synonymous with self-funded projects. Self-funded projects are a good thing. Can I improve my overall posture, my user experience, my security and let it pay for itself?

Jill Aitoro

Jill Aitoro leads editorial for SC Media, and content strategy for parent company CyberRisk Alliance. She 20 years of experience editing and reporting on technology, business and policy.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds