Tim Sadler, Tessian CEO and co-founder, summarizes his journey from founding Tessian to raising $60m from leading investors.
Why did you decide to found Tessian, and why was email security the problem you focused on?
Tessian was founded in 2013 by myself, Ed Bishop and Tom Adams. We all studied engineering together at university before moving into banking. Working at these multinational organizations, we saw how much sensitive data was put at risk by people sending emails.
Modern organizations process vast amounts of information, and they have a lot of controls to keep that data safe. But even with NDAs, project code names, and policies advocating security best practices, enterprises still face risks from many, many misdirected emails. Today, organizations have to allocate budget to keeping their data safe, and they understand the importance of reputation management.
So we asked ourselves, ‘Why is this a problem?’ We realized that there had to be a technological solution that could help improve email security within complex organizations.
When we started the company we didn’t really have security backgrounds, but we did have the first-hand knowledge of how big a problem this was. When we got in front of our first customers – predominantly law firms and banks – and started talking about the threat of human error in email communication, that was when we knew Tessian had value to offer.
So why is human error such a huge threat?
Email is something we all do. We send 40 emails a day, and generally speaking it feels incredibly safe. It’s a little bit like our own personal safety: we don’t think twice about getting into a car or driving a car, but statistically speaking it’s actually one of the most dangerous things that you can do in your life.
We’re scared by the headline-grabbing stuff, like plane crashes or shark attacks, but it’s actually the unremarkable things we do every day without thinking that are most likely to cause harm. That’s exactly the problem with email, and in particular with misdirected emails. That why the first piece of software we built was targeted at helping enterprises automatically deal with the risk of misdirected email communications.
How important is it that security products don’t disrupt people’s work?
It became clear to us when we were building Tessian that employees wanted a completely automated process. Security leaders understand the risk of misdirected emails and know that a technological solution is needed. However, they want to deploy technology that doesn’t require laborious maintenance or pre-configuration. It has to work ‘as if by magic’.
Preserving the user experience is essential. It was imperative that the technology wouldn’t get in the way of people doing their jobs: no-one wants a pop-up asking them to confirm the validity of every single email they send. Organizations wanted something that just completely blended in with regular workflows. These were some of the key learnings we got from those early meetings.
We’ve worked hard to create something that doesn’t need an enormous IT team to implement. Tessian’s products are completely automated, and the deployment is seamless: it simply integrates with existing infrastructure.
So what are the different problems Tessian solves today?
Cybersecurity previously focused on computer networks before moving on to endpoints, or device-level security. In the world we’re in today, we believe that the next step is to protect people.
This progress is reflected in our development of different email filters. We don’t solely focus on preventing misdirected emails with our Guardian filter any more. We also focus on other areas of security. Tessian Enforcer prevents unauthorized emails, which is where people send highly sensitive information to (for example) personal Gmail or Hotmail accounts.
Our most recent launch is Tessian Defender, which focuses on preventing inbound spear phishing emails. This is a defense against malicious outsiders trying to trick humans within your enterprise, whether it’s encouraging them to click on a suspect link or to make an erroneous payment.
This is why we need a security platform covering the whole human layer. Tessian’s mission (and it’s an ambitious one) is to protect firms against any security threat executed by a human. To get closer to fulfilling that mission, we’re investing in R&D and software engineering. We continue to work on new solutions that address all organizations’ human layer risks.
We are constantly working on innovative ways to deal with security risks that don’t require hiring an additional 10 people to run the software or conduct analysis. This is something that we focus on very heavily at Tessian – to offer software that can be deployed simply and quickly to automatically prevent security risks to people.
Tessian’s Human Layer Security platform is unique in the market. Why do you think you’re the only company offering this solution?
It seems obvious, doesn’t it, to focus on Human Layer Security as the solution to the problems we’ve discussed. The issue is that these problems are incredibly difficult to solve in a manner that provides best-in-class user experience and is completely automated. That’s why machine learning lies at the core of our technology. The products and the underlying tech takes time to get right, and I think that’s why we’re out there alone at the moment.
The challenges we’ve had to work to overcome require intense and rapid analysis of historical data in order to understand conventional communication patterns and behaviors. We have a very short window of time to check an email and make a conclusion about whether it’s going to be OK to send or reply to. Developing that software has taken time and R&D investment.
Another benefit to Tessian – and our clients – is that we’re a relatively young company, so we’ve been able to build the entire system on very modern architecture. This has allowed us to leverage increased speed in the system and an abundance of flexible computing power. In this respect we think we’re ahead of any other company in our space.
We are on a mission to bring Human Layer Security to as many enterprises around the world as possible. We want to keep the world’s most sensitive information and systems private and secure, building technology that allows enterprises to do that by delivering amazing experience both for security teams and also the people that directly interact with the product.
What do you think Tessian will look like in a few years’ time?
I’m currently speaking from our New York office, which we established in 2018. We’re now investing heavily in the US market, and to help us do that we raised $42 million worth of funding in a round earlier this year led by Sequoia Capital. Sequoia invests in the best security technology companies in the world. We raised the capital to move into new markets as well as significantly expand our R&D activities.
Our goal at Tessian is to protect the human layer in the same way that firewalls protect the network layer and endpoint security protects the device layer. We are focused on the automatic protection of any person processing data within the enterprise. In the future, I see Human Layer Security being a concept that is brought up at board level, exactly the same way that these other concepts in cybersecurity are discussed.
Ultimately, humans make mistakes, they break the rules and they are easily deceived. These three problems are huge security vulnerabilities for people and organizations. It’s also much harder to protect people, but it’s also much more important that they are protected. Every organization has some kind of firewall protection against the network. They will have some kind of endpoint security protection on their devices. We see Human Layer Security really being the third piece of the jigsaw puzzle that’s currently missing from these organizations. Tessian wants to be the layer that protects the most important part of any enterprise – your people.
*Interview condensed from Modern Law Magazine supplement, May 2019.