Founders Helping Founders with Dave Merkel of Expel

Video Highlights

[02:37] Dave Merkel discusses his early journey and the inspiration to build a cybersecurity company

[13:13] How Dave Merkel sold a cybersecurity product to early adopters

[19:51] When Mandiant made national headlines for their work on the New York Times cyber attack

[33:22] Why Dave Merkel left FireEye after the $1B acquisition and built Expel

[42:32] How to build an engineering team based on trust

[52:33] Advice to founders who are building companies in challenging environments

Q&A with Dave Merkel

Dave Merkel is often at the right place at the right time for critical pivots in the security field. As the former CTO at Mandiant (acquired by FireEye for $1B), Merkel saw the rise of nation-state attacks like Google Aurora. In 2013, when Chinese hackers broke into The New York Times’ computer systems, Merkel’s company Mandiant was hired by the Times and developed widely publicized research about the origins of the attacks. These high-profile events and Merkel’s leadership in cybersecurity helped elevate the topic from a niche sector for tech experts to front-page news. After Mandiant was acquired by FireEye, Merkel co-founded Expel, and is still right in the middle of the cybersecurity conversation. In our latest Founders Helping Founders session, we asked him about his early days in the field and his advice for new founders.

You’ve had an impressive career and founded two big security companies. What early experiences helped shape your journey into entrepreneurship?

One of the coolest things I worked on was when I was in the military. After college, I went into the Air Force and became a computer crime specialist in the Office of Special Investigations. This guy was hacking a bunch of U.S. government and educational institutions, running rampant through tons of these organizations. I ended up on this massive task force with the FBI and NASA. Once we had figured out who the guy was and where he lived, we worked with the police to find him. I was in my mid-twenties and it was an incredible experience. That moment sparked my interest making cybersecurity my career.  

After the 2006 elections hack and the 2009 Google Aurora attack, Mandiant made national headlines when it was hired by The New York Times. What was it like to be at the forefront of building a cybersecurity product during this watershed moment?

That story starts with the Google Aurora situation in 2009, which involved Advanced Persistent Threat attacks from China. Because the attacks went public, and because Google had something to say about it, it changed the flavor of the conversation overnight. The other huge moment for us was in 2013 when there was a China-sponsored nation-state attack on The New York Times. The great thing was that the Times was willing to talk about what happened, and was willing to publish Mandiant’s research. We were able to track the hacking groups literally to the doorstep of a People’s Liberation Army building in Shanghai.

These attacks became watershed moments. We were lucky to be in the right place at the right time, but we also recognized the luck right away and executed on it. You have to surf when the wave comes along.

As Mandiant grew, it attracted interest from large companies and was eventually acquired by FireEye. How did you decide that an acquisition was right for you?

It became pretty clear that if we wanted to scale, we’d need to start doing some things that we hadn't done well before—things we weren’t culturally aligned to execute on. For example, while we did have a sales team, you need to become much more sales-led if you want to blow the top off your sales numbers. We felt that combining what we had with a great organization that already had that sales-led team and the more scale-oriented mindset that we could really succeed. We’d achieved a certain cachet and value to our business, but it was clear that the acquisition with FireEye would improve the value pretty quickly. The acquisition was right for the next phase of the company. And it was a good time to learn from their executive team.

You co-founded Expel in 2016 and your product for transparent managed security was new and different. When selling to early customers, what were some of your challenges?

Selling is always hard. When you’re in beta mode and trying to get early advocates, it’s even harder because you’re selling something that doesn’t exist yet. You're selling a future that you're evangelizing. It’s hustle, and it’s generating faith. It's having some vision of how you think it's going to go, but finding out that you're wrong and being able to adapt and connect the dots to actually get a few customers to realize some of that vision.

Looking back on your experience as an entrepreneur, what advice would you give to founders building new companies today?

Prioritize what you need to fix in your startup. There’s a bunch of stuff you may never fix, and that’s not a bad thing. And don’t feel like you’re struggling alone—because other people’s history of their past success is usually revisionist. They’re probably polishing up that history, but had the same struggling moments you’re having now.

And always be ready to tell your story to potential investors. As another executive told me, “As a CEO, you’ll always be fundraising.” In other words, you should always be spending some of your time telling your story to would-be investors and building relationships. That means if you need to raise a round during a global pandemic, and transact it all across video and email and never stand in the same room as your champions, it’s essential to have those pre-existing relationships.

‍