Master Move logo—executive career growth and leadership development platform.
Stylized blue monochrome portrait of Andrew Rubin with his name in bold block letters behind his and the Master Move logo in the corner

ANDREW RUBIN

Andrew Rubin is the founder and CEO of Illumio, the market leader in zero trust segmentation and cybersecurity innovation. Under his leadership, Illumio has grown to a multibillion-dollar valuation while shaping how enterprises contain breaches and protect digital ecosystems. In our conversation, Andrew reflects on the naïveté and optimism that fueled his entrepreneurial journey, the cultural mindset required to sustain innovation at scale, and why resilience and authenticity matter as much as strategy.

HEARD ON THIS EPISODE:

Episode transcript

>> Craig Gould: Andrew Rubin, thank you so much for joining me today on the podcast. Andrew, you are the founder and CEO of Illumio, which is, an innovator and a, market leader in the cybersecurity fields, especially around what we call zero trust segmentation. You know, Andrew, I really want to talk to you all about what it’s taken you to get to this point, building your company, the field of cybersecurity, what the hot topics are. But on these conversations, I’d love to start with one common question, which is, Andrew, what are your memories of your first job?

>> Andrew Rubin: Well, first, thanks for having me today, Craig. I really appreciate it. and wow, you’re going to drag me back decades, even quarters or years. you know, honestly, if I think about it, and it’s such a great question, I haven’t thought about it in a long time. If I think about it, I, I think the first thing that actually floods to mind is how completely naive and how little I knew and understood about what it is to even hold a job, let alone what it is I’m supposed to do when I show up at work. M. Despite all the education, going through college or university and coming out, the truth of the matter is you walk in at the beginning and you don’t really know anything. And I absolutely remember that feeling. and you know the expression learning on the job comes from a place. I think it’s because no matter how educated you are, until you’re in the middle of it and you have to actually do something and own something and produce something, you realize that until you’ve done it, you don’t really know what it takes.

>> Craig Gould: Sure. So what was your first job?

>> Andrew Rubin: out of school, I went to work selling telecom infrastructure.

>> Craig Gould: Sounds riveting.

>> Andrew Rubin: Fascinating. I have nothing but incredibly detailed and fond memories of it.

>> Craig Gould: So tell me about how the naivete of, you know, kind of going into that first job. There’s also that same thing when you start a business, right? Because the first time entrepreneur really doesn’t necessarily know what they’re getting themselves into. They’re really driven by passion, optimism, belief in some, some idea or market opportunity that they’ve seen. But it’s, it’s hard to know what you don’t know. Right.

>> Andrew Rubin: Yeah. So actually I think that naivete and lack of experience, and it could be in your first job or it could be in your 10th job or your first company you start. Whatever it is, I think that it actually is both your best tool and potentially maybe your biggest obstacle. Because the obstacle is that you haven’t done it before, so you have no idea what the path ahead looks like, where the potholes are, how to avoid stepping in them. You know, by definition you’re inexperienced, which means that you don’t know what to look for and how to avoid the tough spots. The asset is that you’re not constrained, so you’re willing to think outside the box because you don’t have a box, or you’re willing to think in terms of what’s possible without necessarily getting hung up on what’s going to get in your way. And so I think the trick is to sort of, number one, be self aware enough to realize that you don’t know a lot. Number two, to be careful because you can get in a lot of trouble by not knowing and not being experienced. But number three, to realize that it’s an asset and you’re going to use it to your advantage. Because other people around you may be operating from a place where they’re constrained. And because you’re naive or inexperienced and haven’t seen or done it before, you’re going to immediately build guardrails that aren’t necessarily there.

>> Craig Gould: You know, it reminds me of this, conversation I’ve had a time or two before about Nobel laureates and how their best work is done when they’re in their 20s. And it’s because the, the older you get, the more your knowledge constrains your creative thought. You, you have all these guardrails on what you think is possible, but in their 20s, when they just have the germs of these, of this knowledge base and everything is possible, so the, they’re able to have creative thought in a much wider scope. And so it’s not surprising that some of the more creative entrepreneurs are folks that don’t think of how this won’t work. They just think, well, hey, I bet this could do, and maybe not see all those constraining factors, without a doubt.

>> Andrew Rubin: I’ll give away at least a breadcrumb of my age. So for your listeners and viewers that know this quote, they’ll also give away something about their age. There was a movie called Ghostbusters when I was growing up. I was a pretty big fan of it. And in the beginning of the movie, Dr. Venkman says to Doc Stance, he says, Einstein did his best work as a patent clerk. And you know, the whole theory was that despite the brilliance of Einstein in reality, when he was in his 20s or when he was young and he was doing it with no constraint, that’s where the most creative process occurs. and so whether the quote is true or not doesn’t matter. But the point is that there’s this threat of when you’re young, when you’re naive, when you’re unconstrained, you don’t build artificial barriers. And therefore, it allows the creative process, the entrepreneurial process, to happen in a very organic way. And I definitely believe that deeply.

>> Craig Gould: Okay, so how do you maintain that that was great for you 15, 20 years ago, but how do you maintain that spirit when you become, a company with a $3 billion valuation that’s beginning to be the big entrenched company? How do you maintain that spirit?

>> Andrew Rubin: Well, I’ll start off by saying completely independent of any one company, including Illumio. I do think that, you know, those of us that live our lives and participate in the technology space are fortunate because by definition, we’re in a space where innovation is literally the foundation of everything we do. So there are other industries where I think the answer to your question is actually a lot harder to get to the technology industry, and more so now than ever before. Obviously, with AI and the pace of innovation, we’re being graded every single minute, hour, day, you know, quarter year on our ability to maintain innovation. And if you don’t, you pay the price for it much faster today than you did even five or 10 years ago. So I do think that we have to start by acknowledging that we’re in an industry that’s predicated on saying yes and being able to do what you just described. But, yes, as companies get bigger, even in this space, it does get harder. And that’s where I think the leadership team of the company, CEO included, but the leadership team of the company has to set the tone and the tenor that despite growing up, despite size, the beginning of scale or eventually scale, we have to maintain the innovative DNA. And the cool part about it in our industry is there are so many examples of companies that either have maintained it so much longer than we ever thought they could, or. Or have hit those inflection moments where they’ve broken all the glass necessary to become innovative again. and so it’s possible, and we all know that, but it requires a really concerted effort from leadership all the way through the organization to say, we have to do this. It’s not a feature, it’s an absolute requirement. And size and scale can’t get in the way of, of doing it successfully over the long term. I don’t think that there’s any choice. And so I can Tell you certainly at Allumio. I know I feel that way. I think about the fact that 10 years into our journey, we just released our second real, true second product on the platform and it was born of a series of customer engagements. We didn’t sit down and plan it, it just happened. And the fact that our aperture has remained open enough, over the years to be able to do that, I’m proud of that. But I also know that’s the team and the way they operate, realizing we don’t have a choice. This is how we have to run the company.

>> Craig Gould: Andrew, if you’re sitting down at a dinner party next to somebody who has no idea what Illumio does, how do you explain to them what Zero Trust segmentation is and assumed breach and you know, everything that goes around that. What is the simplest sort of metaphor that you, you throw out there to help people understand what your company does?

>> Andrew Rubin: So there actually is a metaphor, but I’m going to answer the question first without it and just say what we do. CyberSecurity has had one job for 40 or 50 years, which has been to stop a breach from occurring. Unfortunately, and I don’t need to tell anybody this nowadays because we all know it, we don’t stop all breaches. We’re pretty good at stopping most of them, but we don’t stop all of them. So now cybersecurity has two jobs. The first one is try and stop as many as we can. And the second one is contain the breaches that are successful so they don’t end in catastrophes. Zero Trust segmentation is cybersecurity to contain a breach so that once something bad is inside, you can find it, you can stop it from spreading and keep it as small and minimize the impact as much as possible. That’s it. That’s what Illumio does. We find and contain the breach that slips through. And so the metaphor that we’ve actually used, and I’ve used it literally for years and years, there’s a few of them, but there’s one that goes back almost to the very beginning of the company is if I hand, crayon to a 10 year old and I say to him or her, draw me a picture of a submarine. They’re all going to draw the hull. Most are going to draw the periscope, the piece that they don’t draw, but everybody knows they’re there are the compartments inside every submarine. Every sub has been built that way since the beginning. And the compartments are really there for only one reason. They’re not there to divide the submarine up or to create a bedroom for the captain. The compartments are there so that if there’s a leak, you can close that compartment off, but the rest of the boat stays dry and safe. So you still have a problem, but you’ve controlled the problem, contained the problem, and kept everybody inside safe. If you didn’t have the compartments, if there’s a leak, the boat floods the whole thing, and that leads to a very bad, catastrophic outcome. The problem with the compartments is you can’t build them once the leak starts. You have to have them there before the problem. What we do is we help organizations to figure out where to put the compartments, to build the compartments before the breach.

>> Craig Gould: Has the definition of that changed over the time of Illumio? I mean, in my mind, Illumio starts at a place where it’s really about firewalls and servers and data centers. And, you know, here’s your rack, and this is where you’re going to stick your blade. But then things become more complicated when we start talking about clouds. And, you know, I think now you guys are even at, at this specific device level, right? Can you, can you talk about how, you know, it’s, it’s a big concept, but on a, on a, on a micro level, it’s, it’s changed over the, over the years how you guys have applied this mindset, right?

>> Andrew Rubin: It has. And I think the change is actually in two dimensions, or at least two big dimensions. The first one you definitely touched on, Craig. There’s no doubt about it that the world’s become more hybrid, it’s become more complicated, it’s become more interconnected. So most of our customers don’t run just in one cloud. They run in multiple clouds. Most of those customers still have a data center, their end user, compute. The laptops and desktops that their employees use are working from home, working from Starbucks, working from airports, and coming into the office and connecting there as well. Everything about the world has become more hybrid, more complicated, more interconnected. So any security control, whether it’s zero trust, segmentation, a firewall, edr, the thing that you put on the desktop or the laptop or the server to protect all of these things, now have to contemplate a more complex, more hybrid world. As do we. And so just making your technology work, delivering that same security control that maybe 10 years ago or 20 years ago, you only delivered in the data center, and now being able to deliver it still in that data center, but also in aws, Azure, gcp, maybe Ali Cloud, you have to think about the world as a completely hybrid mesh. And so in order to satisfy the enterprise customers needs, you have to be able to deliver against this much more complicated landscape. That’s one dimension of change and it’s accelerated throwing containers, it just keeps changing. The second dimension is the way that we think about building those compartments. And you actually used a word that for us is sort of a hot button because it speaks to that second dimension of change. Everybody originally thought that the use of segmentation was going to be from micro segmentation. So if I go back to building compartments in a submarine, that would be like building a thousand mini compartments inside of one boat. but what we quickly realized was you have to actually build the compartments in a practical way. You have to be able to build the compartments where some are micro but some are grow and much wider. So if you had some very critical part of the submarine, you probably built a single compartment around that very critical part of the boat. But there were other parts of the boat where you’re going to build a much wider compartment. And being able to not only strategy that mixes the micro and the macro, but then also being able to deliver a software platform that allows for the micro and macro outcomes. I can tell you when we started the company we thought micro, micro, micro. Today if I look at how our customers adopt and use our technology, it is a mix of the tightest micro and the widest macro. And when you blend those things together, you reduce risk by having the right compartments around the right things, size the right way. And so those two dimensions of change have evolved enormously over the last ten years.

>> Craig Gould: you know, I heard you talk in a different interview about this relationship between operations and security and how you can’t make a 100% secure environment. But it’s going to be so invasive in weight down operations so much that there’s a trade off there. You just can’t do it. It reminded me, I remember in graduate school there was a conversation about that in terms of the airline industry operations and safety, you could spend as much money as you want trying to build ah, a plane that would never crash, but it would be so cost prohibitive that nobody could have a business model where they run an airline. So can you kind of talk about those trade offs and how you try to operate within that framework?

>> Andrew Rubin: Yeah, I mean there’s a sort of funny story that I’ve used for a long time when I talk to executives in particular when we’re having sort of a practical non technical conversation which is I can actually deliver for you right now in real time in less than 10 seconds, the single best cybersecurity framework. You get everything to run your company and disconnected from the Internet. And everybody sort of laughs. Ah, right. It’s, it’s, it’s obviously hyperbole. It’s ridiculous. But the truth of the matter is, if you’re not connected to the Internet, it’s very hard for somebody to attack you. It’s also very hard to operate as a functioning business. Security is friction. It always has been, it always will be. Security introduces friction into a system. The more security you have, the more friction you have. And so if you step back from the silly comment, which is, disconnect yourself from the Internet, and you think about it as a spectrum of the more secure you are, the more friction it requires, what you’re really trying to do is you’re trying to find the balance. And by the way, friction is not a bad word. It’s easy to react to that and initially sort of cringe up and go, oh, security is friction. Security is bad. Friction is not a bad word. It’s about figuring out what is the balance between what risk are you addressing and reducing. How much friction do you have to introduce to reduce that risk and how much of a toll does it take on your ability to operate or your customer’s ability to interact with you? And that’s the balance, right? How secure do I want to be? What risk am I reducing or eliminating? And how much of a tax do I have to pay to get there? And I think there are two things that actually are really optimistic versions of that balance. Number one, the security tools have gotten so much better at helping to reduce the risk while introducing less friction. Friction will never be zero. If you want zero, no security. It’s probably not a very good operating model for 2025, but there is a way to get there. In other words, you could do it. It’s probably not advisable. The good news is that the tools are getting so much better at delivering risk reduction with less friction than in the past, and I think that trend’s only going to continue. The second thing is that we’re getting much better as an industry and the customers are getting much better at holding the industry accountable, to no longer just walking in and saying, let me show you this shiny object. What they’re saying is, tell me how the shiny object is going to actually reduce risk. It is no longer enough to walk in and say, I can sell you a tool that’s really cool. You have to be able to draw a line between the cool tool and what risk it’s addressing and reducing for the organization. And there have been times in Cyber’s history where the cool tool was the only thing anybody wanted to talk about without tethering it to what is the business risk reduction it delivers. I think CISOs and organizations are getting better at holding the industry’s feet to the fire about drawing the line that connects those two things. You need to explain to me what risk it’s reducing. I understand that there’s going to be some increased friction by. By having it, but if you give me the right balance, it’s the right thing for the organization and I’ll do it. And from my perspective, not just in terms of Illumio’s product and what we deliver, but I actually think that as a CEO, when I think about protecting Illumio, that’s exactly the conversation that I want to have. I don’t just want to talk about the software and what it does. I want to understand risk is it reducing for my team, my customers, my organization. And I think that that’s a really, really healthy dynamic that’s come out the last few years.

>> Craig Gould: I’d like to go back to the beginning of Illumio because your origin story is really interesting in that you’re going in a direction that was so, so novel that you know you’re going to try to have to create a market that creates challenges when you’re trying to raise capital, but it also creates challenges in terms of market timing, the whole push and pull, and how do you create enough knowledge in the customer base for there to eventually be a pool for you? Can you talk about how sometimes we don’t have a clear idea of how long it’s going to take to cross that chasm? Right. I mean, can you kind of talk about those early days and what you were facing in terms of creating a niche where you had to explain and create demand for your product?

>> Andrew Rubin: And, Craig, I will tell you, it’s. It’s literally my favorite question. It’s the one that I feel like, I’ve lived the journey to be able to describe it. And I will tell you we could spend the next six hours, I promise, talking about this subject, because I really do believe that it’s. It’s one of, if not the defining characteristics of Illumio’s journey. And I’ll also start off by saying or answering it, by saying that when we started the company, we had no idea that everything you just described was going to be our Journey. We started the company with a strong belief. Those of us that were there early on, that we were iterating on, one of the most mature, one of the most well understood cybersecurity controls ever invented and still today, the firewall. We truly believe that segmentation was the next logical iteration of what people have been doing with firewalls for decades. And so therefore we didn’t think about, is it a new category, a new market? Will people have playbooks for how to deploy this or what to do with it? Will procurement have playbooks for how to buy it? I mean, I could literally go on for hours about the things that we assume would be there. And within six months of going to market, we realized that we could not have been more wrong about more things having to do with this subject. And it was scary, it was very humbling. It was incredibly challenging to realize that there were no sales reps that we could go hire that came in with experience selling segmentation. so I would say a few things on the subject to not spend six hours on it. The sort of most salient, number one, there is absolutely no doubt that what kept us going through all of it was that even though we didn’t understand the market dynamic, even though we didn’t realize that we were participating in a category or a market creation exercise, we deeply believe that the problem we started the company to solve was real. We deeply believe that there was a massive architecture shift that required building something very different in order to solve it. And the truth of the matter is that actually that never changed everything about the go to market, everything about the market dynamic. We were wrong about all of it. But the actual reason we started the company was to solve a problem that we believed we understood, that we believe customers would eventually understand. We thought it would happen a lot faster and more pervasively than it did, but we really believe that we understood the problem, the solution and the right way to build something novel to solve, it. And that never really wavered. So I think that’s incredibly important because people have said, well, why did you stick with it as you were realizing how hard it was going to be relative to what you thought? And that was the reason why we were just rooted in we’re solving a really important problem and we think we’ve got the right answer. I will say on that subject, of sort of the timing, it took a long time to understand it. But I have a sort of funny anecdote, for lack of a better word, that I’ve come to use to describe what that journey felt like I’ve said, if you don’t know what the difference is between being very, very, very, very, very, very early and being too early, too. I actually have figured out, having lived the journey, the one word that sums it up. Ah, bankruptcy. There are so many stories that we all know in our industry of, somebody or a group of people that started a company to do something, went bankrupt, and three years, five years, 10 years later, essentially the same idea popped up and became a multi decibillion dollar company that everybody knows. That’s a timing issue, right? I mean, more than anything else, that’s a difference in just being really early versus too early. But if you’re very, very early, but you believe and eventually the market proves you out to be right, the only way you get there is to not go broke. And in building a company, the only two ways to avoid going broke are either funding or revenue or some combination of both. We raised a lot of money early on. We were very fortunate to be able to do it. It was hard, as you mentioned, because investors don’t really tend to invest, let alone go all in in companies where there isn’t a category and a TAM and a Gartner Magic Quadrant validated. But we were fortunate to be able to raise the capital. We took advantage of that and we were fortunate to be able to acquire early adopter customers, most of them at scale. And that provided a lot more revenue early on. Than we anticipated. But we realized fairly quickly we were going to need that if we were going to stick around long enough to have a shot at being right. And I guess the last point I’d make on it, and, and the final point is this. We also fairly quickly acknowledged. I’m not going to say that we understood it. I’m going to say we accepted it. We accepted that vendors don’t create markets and categories. They don’t. Customers create markets and categories. You need a lot of them to agree that there’s a problem that they have prioritized solving. And then you need a reference architecture that most of them agree is the right answer. And hopefully a vendor is lucky enough to find themselves in the right place at the right moment in time to be there with the right answer and customers gravitate to that and that becomes a market leader. But, I could go out and evangelize for 100 years the need for segmentation, why it’s important, why it’s crazy to live without it if customers don’t agree and adopt, there is no market or category. And we fairly quickly understood and accepted that that was our reality. And then we just went to work making sure that we built the best possible software and told the story to anybody who would listen.

>> Craig Gould: I’ve heard you say before that cash is insurance. over raising isn’t a bad thing. You, you could be non diluted and it all be worth zero if things break the wrong way. But my impression is that you got the capital, you put together, the team, there’s a skunk works. It’s taking multiple years in stealth to make what you envisioned. And in the meantime, you, the non technical person, you’re out there, doing just like you said, evangelizing about what’s on the horizon. But at what point is there a tipping point? You know, is it getting one big bank to buy in and that is the name that you can drop to the next bank? How did that happen? Where, where was it that you knew we’re going to get traction here?

>> Andrew Rubin: So Craig, I would say two things. One, there is not one tipping point. There are thousands of minuscule tipping points and every one of those tipping points you think is the big tipping point and none of them ends up being the big tipping point. You get that first big logo and you assume I’ll tell the whole world and every other big logo and that means I’m done. No, it doesn’t really work that way. It helps maybe with the next two, but then the third one after that, for some reason it doesn’t do anything. it’s thousands of small tipping points that all add up, and over a longer period of time than you want. And there is not a single day, a single event or a single thing that represents the final tipping point. I would joke that, you know, maybe the big tipping point is going to happen on Monday and I don’t know it yet on Friday, but there’s not one big moment. I think the big category of tipping points are things like in the early days getting those first few very big logos. Even if you can’t put out a press release, you certainly know that you’re going to be talking about it and words going to get out. Obviously in technology and certainly in enterprise it, there is no doubt about it, getting the Gartners, the foresters of the world to start writing. Even if it’s not that magic quadrant or wait, that’s a huge tipping point because now all of a sudden somebody other than you is starting to talk about it. Somebody that isn’t quote unquote on the payroll and they do have customers of theirs that absolutely rely on them for future direction. And maybe that doesn’t get a customer to buy the next day, but it helps inform their roadmap, their budgets for two or three years down the road. So that’s a huge set of tipping points when the analysts start covering. I’ll also say we haven’t talked about it, but the channel, because the channel ecosystem will do an incredible job of giving you leverage in your go to market. But the channel’s job is not to evangelize brand new solutions in categories that don’t exist. So when the channel starts to show up, it’s not because a Illumio has convinced them, to show up. It’s likely because their customers are starting to ask them about, hey, we’re thinking about segmenting next year, who do you think we should talk to? And in those early days the channel says, well, we don’t know because we don’t really sell any of that yet. But once they hear that two or three times, they’re going to go get educated very quickly. And so the channel showing up as an inflection point, I will tell you that, let’s just say over, what has been a 10 year journey, there is no doubt about it that the acceleration of those tipping points in the last couple of years, and I mean couple as in, in a literal sense over the last two or three years, the acceleration, the number of categories of tipping points, the number of tipping points within those categories, I could take the last couple of years and if I aggregated every single day prior to that, it wouldn’t represent a rounding error compared to what we see today. And some of that I think is because customers have made the decision this is a critical control. Some of it give credit absolutely where credit is due. The channel has initiated and invested and engaged. The analysts have gotten very vocal and by the way, the regulators as well. The regulators have a huge piece of, generating momentum in cybersecurity because they mandate certain controls over others. But the last couple of years has been just an absolute set of inflections unlike anything we saw prior.

>> Craig Gould: I’d love to talk about culture and how as a CEO of a company that’s grown so exponentially, how do you scale culture? And I think in the same breath, I would love to go to this phrase mindset and you know, what is the mindset for your employees, but what is it that you evangelize in terms of the mindset your customers should have to help make their environments even more secure? Because I mean, not only Is it, is it a culture that you’re growing inside your company? It’s also you’re evangelizing kind of a security minded culture for your customers.

>> Andrew Rubin: Absolutely. So on the internal answer, first, I actually think in a lot of ways that culture is tied and is similar to the conversation we had around innovation. Culture is not this thing that, you know, a founder or, a group of founders get around a table the day they start the company and say, this is going to be the culture of the company and that’s it, we’re done. Culture evolves over time. Like innovation. The way that you innovate when you’re 15 people in a room with a whiteboard and there’s no customers revenue, you don’t have accountability to anybody. And the way you innovate when you’re a thousand people or 5,000 people or 10,000 people with hundreds of millions or billions of dollars of AR revenue, the innovation that happens in category one and category two are different. The innovation model is different. What’s rooting it and what ties it together is that there is a DNA that says we require innovation to be successful. But the way that you instantiate it, the mechanisms you use, they evolve over time. I think the same is true of culture. There’s a level of DNA in the culture at all. Like there isn’t any company that I’d love to think truly ties back to the very beginning. There’s a set, of values that tie back to the very beginning that certain things that we never want to have change. But the way that we instantiate culture, the way that we propagate it, the way that we build the mechanisms that allow us to propagate it and evolve it over time, those things change with time. Are there a set of core values? Absolutely. We had a company town hall literally just yesterday. Our chief people officer got up and talked about that. Right. Like, even though it wasn’t necessarily an agenda item, it tied to the conversation we were having about where are we in our journey and how was the first half of the year’s performance and what do we need to do in the second half. Those company values are rooted in everything that we do. And so you pull them out and you talk about them a little differently now than when we were 10 or 15 people in a room in Santa Clara. But they are part of the DNA of the company. The culture of the company is similar. We definitely have mechanisms today that we didn’t need back then. We were all in one little office and now we have people all over the world, but the cultural values are still the same underpinning. I think from a cyber perspective, there’s actually a fascinating trajectory and sort of arc that we’ve all lived over the last, let’s say, sort of five to 10 years. If I got a CISO of any large enterprise in a room 10 years ago, and I was the CISO’s coach to talk to the CEO and the board 10 years ago, I would have said to that CISO, here’s the one thing you really can’t say. You can’t go in and say, we’re going to be breached like, you’re the ciso. Your whole job is to make sure it never happens. And if you say it, even if you’re right, the CEO on the board’s going to say, wait a minute, you’re the ciso? Is it your whole job to make sure that never happens? Flip the script. Ten years later. There isn’t a single CISO that I know in any enterprise that would ever walk in and say to the CEO of the board, I promise you, we’re never going to be breached. First of all, half of them are going to walk in and say, it already happened and you know it. Half of them are going to say, it may be happening right now and we don’t even know it. And they’re definitely going to say, if it hasn’t happened yet, it’s going to happen eventually. And therefore, we have to start the conversation from a place of acknowledging that this is now a business risk, it’s a technology risk, and it’s one that we had better have a plan for dealing with, because it’s going to happen. Think about how big a cultural mindset shift it is to take a C level executive and actually be able to flip the script 180 degrees on what the responsibility of their job is and how they’re preparing their leadership. In terms of the risk of the organization, I think that that is an unbelievable. First of all, I think it’s a healthy thing. Secondly, I think it’s an unbelievable acknowledgment of the intellectual honesty we have to have if we’re going to fight this battle every day. But thirdly, it absolutely changes what you do in terms of your strategy and your tactics. Because if your opening line is, we’re going to be breached, then the question that the CEO and the board should be asking is great, what are we doing to stop them and what are we going to do when it happens? But you can’t ask that second question if you’re not willing to acknowledge that it’s going to. I think that’s a huge cultural shift that we’ve seen over the last five to 10 years.

>> Craig Gould: The majority of the conversations I have are with people that our CEOs have been CEOs and I like to talk to them about kind of what their day to day life has been. Right, so what, what is it for you? I mean, is it evangelizing? Is it creating the cadence for the company? You know, set, setting the vision, the proper allocation to capital, all of those things like, and how does that change from day to day, week to week?

>> Andrew Rubin: In some sense, the answer is probably yes. In other words, everything on your list somewhere appears, maybe not every day, but it appears somewhere inside of the scope of the job. I’ll start off by saying what I’m sure everybody you’ve ever spoken to who has either been a CEO or founder, whether CEO or not, I’m sure would echo, which is, I’m incredibly lucky that I have an amazing team, certainly the leadership team in my direct reports, and then obviously all the folks that they’ve been able to bring together. I have an amazing team. And so some of the things that I used to have to do myself, now I’m lucky enough to have people that are a lot smarter, a lot more experienced, a lot, more capable doing them for me and more importantly for Illumio. And I rely on that. And so certainly capital allocation is a hugely strategic topic. I’ll say once a year it’s a very, very prominent topic when we’re building our annual operating plan. But I have an incredible leadership team who works for a few months every year to build those budgets and figure out where investments should be. And at the end I’m, certainly there to look and think about and maybe provide some input. But they’re doing all the heavy lifting and they’re figuring out what the right answers are. So I think it’s important to acknowledge that, that as you grow up, I’ll say certainly a CEO, my number one responsibility is not to be in the middle of all those things. My number one responsibility is to get an amazing team together who can do all those things better than I ever could, and then to hopefully help out, advise, and every once in a while maybe play referee if there’s a debate that somebody needs to make a call on. But, but I think you have to talk about the team first. I will tell you that if you think about, or if I were to think about where I spend my time now, there is no doubt about it that all things equal, it’s going to come down to three things. People, people, people. That’s number one on the list.

>> Craig Gould: Those are three things.

>> Andrew Rubin: Yeah, those are three things, but that’s number one on the list. People, people, people. If, if I’m left alone to my devices, it would be customer, customer, customer. it’s my happiest places when I’m listening to what customers and prospects have to say, by the way, good, bad and indifferent. But I just think the customer voice is literally the North Star of any and every company that builds great product and successfully finds way to solve problems that eventually win in the market. The customer voice is where you figure that out. not locked in a room with a whiteboard back home. So the more time I get in front of customers, prospects and partners, the happier I am because I feel like I’m bringing the voice of the customer back into the conversation we need to have back home. And then I think the third part is, yes, there is some amount of vision and evangelism, by the way, local to the company story and macro to where I believe cyber needs to go for people to be more successful in protecting themselves and reducing risk. And certainly there’s going to be a tether between the Illumio story and that. But there are plenty of times where I want to evangelize where I believe cyber needs to go, even if the world Illumio is not part of that conversation. Because like most founders and certainly most CEOs, I’m passionate about the industry that I participate in. And so I think that those are certainly three things that if you look at my calendar over the course of a week, I bet you could tether 75, 80, 90% of what I’m doing back to some version of those three things. And then, yes, there’s a lot of context switching, there’s a lot of parachuting in and out of a specific conversation in the building. There are of course, problems that end up landing on, my desk like they do any CEOs, but if I can spend most of my time on those three things, I think that’s where I’m hopefully adding the value. That’s my part of a very large puzzle.

>> Craig Gould: Like I mentioned before we got going, I feel like the majority of the folks that listen to the, the podcast are mid level, upper level management that are trying to get from where they are vp, SVP to the C suite. And I’m just wondering what advice you would have for somebody, you know, beyond, you know, Having the gumption to go out and start something on their own. You know, you, you as a C level executive, as a CEO, you, you know, you said number one was people, people, people. And so when you were, when you’re looking for the right people to promote in your organization, to lift up from a VP level up to the C suite, what are you looking for? What is a piece of advice you can give to somebody who’s trying to make that transition, who’s trying to transform not only who they are, but their perception? What kind of, advice can you give to that person?

>> Andrew Rubin: So I think there’s a few things, but rather than think about the question from the perception of like what advice would I give you what to do when you go to work? I actually think it’s more about how to think about trying to move into one of these positions. Right. Like thinking about yourself vis a vis the role. And there’s a few things that I will tell you. I wish I could take credit for any of it. But it’s the same questions I’ve been asking my mentors over the years. And believe me, I’m still asking them. because as a Illumio grows up, my job obviously gets bigger. And this is my first time in this seat into these circumstances. So I’m learning every day. But the themes that have come back again and again, number one, don’t ever confuse the term authenticity for transparency or honesty. Authenticity is about knowing who you are, being comfortable with it, owning it, and not having three different versions of yourself when you show up for work. I’m not saying that in certain settings you don’t have a conversation differently. In a closed door setting with three of your peers, you may talk differently than when you’re on stage in front of a thousand people, but own your authenticity. You are who you are. It’s gotten you to where you are. It’s very likely that that authenticity is what’s going to get you to the next step. And, and, and I just believe that I am, I’m somebody who was born in Brooklyn, New York. Anybody who knows anybody born in Brooklyn, New York knows it comes with certain personality traits. certainly over the years I’ve been asked to do things I never imagined growing up in Brooklyn, like getting on stage in front of, you know, the 800 or so Lumineers. And I’ve had to learn how to make sure that in that setting I can speak in a way that makes sense to a broader audience. But I promise you, I’m still me. And the Brooklyn, New Yorker still slips out once in a while. Even in that setting, you have to be comfortable with who you are. And so the authenticity thing, I think, matters enormously. And by the way, people see through it in the other direction when you’re not authentic, whether they say it’s you or not. All right? And so I really believe that that’s kind of tied at the top of the list for one of the things I would say to people. number two, I’m a huge believer that leadership is about ownership. Like, I say this to my team all the time, my leadership team. You signed up for this job. Nobody forced you to take it. And certainly if you want to climb up to the next job, you are clearly signing up for it by virtue of attempting to get it. But understand that as the leadership job gets bigger, the ownership goes up, you’re responsible for more. You may very well have a larger team working for you. You are now responsible for making tougher decisions than you were before. Ownership is leadership, and leadership is ownership. And as you climb up, into more senior roles, you do not get to outsource the harder decisions. You have to insource them. People are going to look to you to make the hard calls. They’re going to look to you to drive the hard outcomes. And if you’re not willing to do it, then you’ve essentially abdicated the responsibility that you are going for by virtue of going for that bigger job, that wider scope. So remember that leadership is ownership. And I think the third thing is just simply remembering that your number one responsibility, by far and away as a leader, is to lead the team that you’re leading. They’re looking up, at you. They’re taking their cues on what’s right and what’s wrong, what’s acceptable and what’s not, what’s professional and unprofessional. If you’re not leading by example, then please don’t be disappointed, upset, and certainly don’t hold anybody who works for you accountable when they get it wrong, because they’re taking their cues from what they see from you. You are the person they’re looking to, to give them those visual, those mental, those cues around what’s right and wrong, what’s expected and what’s not tolerated. And so every one of my mentors has reminded me again and again that your number one responsibility is to lead, to own, to be accountable and hold people accountable. And I just think that as you think about that next step. So for me, it’s about Allumio getting bigger it’s not about the title changing, it’s about the company changing. If you’re that SVP who wants to be that CRO, it’s about thinking about, well, if I have that bigger title, it’s not just the change in the title or what it says on the masthead on the website. That’s the easy stuff. It’s about owning that bigger job and everything that comes with it. And I just think the quicker you get yourself into that mindset and think about everything through that lens, two things will happen. The more prepared you’ll be for the job, and the higher probability is that you’ll get it.

>> Craig Gould: One last question, and that is, you know, you touched on, your mentors, and, I just can’t tell you how many C level executives I’ve spoken to that have talked about having their own personal advisory board. And I would just, you know, ask you, I think you’ve already touched on it, but what level of importance do you place on mentorship? How do you see great mentors? how do you foster and maintain those, those relationships in your own life?

>> Andrew Rubin: One of the things that I realized fairly early on in Illumio’s life was that some combination of my lack of experience, this category thing that we talked about, and the difficulty of the journey that was probably ahead of us, I realized how thoroughly unprepared I was probably going to be not at everything, but at more things than I initially thought. And so I looked at mentors as effectively the cheat sheet and m. The reason I say it that way is because they’ve been through it before. Not your exact journey, not every situation you find yourself in, but if you have the right set of mentors, they’ve built companies, they’ve run companies, they’ve bought software, they’ve sold software, they’ve fired people, they’ve hired people, they’ve had tough conversations. You can just keep going down the list. So I didn’t look at it through the lens of let me go find a person who’s done this. I just assumed if we’re lucky enough and we execute well enough and we eventually grow up, everything’s going to eventually happen. And eventually my experience, having lived through it, will become the basis of how I feel more comfortable and hopefully get better at doing it. But certainly in those early days, I was going to need a cheat sheet. So the two things that I’ll tell you is, number one, I absolutely believe that the more willing and open you are to ask any question of, anybody you meet who has more experience than you, the better off you’re going to be. The good news is the worst case is they don’t answer it or they tell you to go away. There’s not a lot of downside to asking. The best case is you end up asking a question that person is much more experienced, is intrigued. They actually end up getting excited that they get to pay forward and pass some of the knowledge along that somebody probably passed to them, and you get a great mentor. So that’s number one, is just ask. I got very unshy about asking questions very quickly. But the second thing that ties to that is mentors, advisors or members for that matter. It’s not their job to come to you and say, what can I help you with today? It’s your job to invest in going to them. So that may mean saying, can we hop on the phone? That may mean in many cases, early on, you’re in New York. I live in California. I’m going to be in New York next week. Can I get an hour with you? I’ll make it work. No matter when you tell me day or night, you have to make an investment in these relationships. And in the early days, you got to make a real investment. And I understand that we all went through this crazy thing that feels like 100 years ago called Covid, but xing out those couple of years, the real relationships that we all built for the hundred years before, and it seems like we’re sort of back to it, most of those real relationships were built sitting across the table eye to eye. and the beauty of investing early on in doing that is then over time, you don’t have to do it every time because the foundation of the relationship is built such that, yes, I, can text you, and we’ve got that connectivity, but you’re never going to build a deep mental m relationship with somebody on text message from the very beginning. And so I personally viewed it as such a critical asset for me to have a shot at being successful and hopefully doing my job for the company that I made all those investments. And some of them, by the way, worked out really, really well, better than I ever imagined. Some of them didn’t. Some of them worked for a little while, and then it turns out it wasn’t a fit. I never went in with the agenda of caring about that. I just said, I know this person has more experience than I do, and therefore, there’s probably something I can learn from them. It’s a huge, huge piece of what’s allowed me to sort of do my job, hopefully get better at it. And I’ll also say that the byproduct of it is some of those folks, especially the ones I met early on, I mean, this. Some of them have literally become my closest friends on planet Earth, truly, in every sense of the word. And if, for whatever reason, the professional relationship ended tomorrow, these are folks that are, some of my closest friends in every context, way beyond work. And that’s just. That’s just the bonus that I never counted on.

>> Craig Gould: Well, Andrew, I just really appreciate your authenticity today and your openness and being willing to share your story and your insights. And, I think, it’s been very valuable. And I. I just really appreciate you being my guest today.

>> Andrew Rubin: Craig, I can’t thank you enough for having me. And, obviously I hope to do it again, and maybe we’ll even do it face to face next time.

>> Craig Gould: Exactly right. And maybe I won’t have a cold then.

>> Andrew Rubin: This time it worked out perfectly. But next time, maybe we’ll do it face to face.

>> Craig Gould: All right. Well, I appreciate it.