Building a Cybersecurity Juggernaut

By his own admission, Bipul Sinha was never one of the cool kids. So when he decided, at age 40, to fulfill a longstanding dream to start his own company, he instinctively avoided following any fads. Sinha, who had become a VC after nearly a decade at Oracle, believed success would come not from the trendy sectors of the time — social media, marketplaces, biotech — but from something entirely new based on something old and neglected.

Guided by that conviction, Sinha founded Rubrik in late 2013. Well before ransomware was a thing, the company focused on backup and recovery, helping businesses and organizations secure their data from cyberattacks. The legacy back-up vendors at the time were built for natural disasters and human error, not cyber. Sinha reasoned that someone needed to disrupt the market with a solution that would allow companies to quickly restore their data after a cyberattack, thus avoiding a major business disruption. It was, Sinha admits, a largely overlooked, “C-minus” market.

The real outcomes happen when people aren’t sure if the value can be created or people think it’s too hard.

It’s a great market today, and not because of grade inflation. With more than 80 percent of U.S. companies now saying they experienced more than one data breach in 2022, protecting data from cyberattacks is a top priority for every CISO and CIO, as well as many CEOs. Over the past decade, Rubrik has grown into a company with subscription annual recurring revenue north of $500 million and more than 3,000 employees globally. Its customers total more than 5,500 and include Carhartt, PepsiCo, GSK, The Home Depot, Allstate, and many of the country’s leading healthcare providers.

Although the risks he’s taken so far have paid off, Sinha says he isn’t anywhere near finished charting new paths. His ultimate goal, he says, is the creation of “an enduring institution with lasting impact.”

We are all prisoners of our imagination. If we think big, we will become big.

Bold moves and breakneck speed

After Sinha started Rubrik, it didn’t take long for his big ambitions to collide with reality. Finding talented engineers within his network to serve as co-founders proved to be relatively easy. Arvind (“Nitro”) Nithrakashyap, an Oracle colleague and Soham Mazumdar, a Google engineer who had once pitched Sinha for funding, didn’t hesitate. Arvind Jain, also a veteran engineer at Google, believed wholeheartedly in Sinha. “If you’re doing it, I’ll jump in,” is what Sinha remembers him saying. But hiring outside of that network turned out to be a much bigger challenge than he imagined, with his background as a VC conferring none of the hoped-for benefits. “I thought I’d have 20 people who’d line up to join this company. Forty-five days later, I had zero hires,” he says. “That was really shocking.” For a moment, Sinha considered the possibility that he had made a terrible career decision. He ignored those fears and got to work.

For the next three months, Sinha spent most of his days in a string of Silicon Valley coffee shops strategically chosen near the campuses of companies like Google and YouTube. There, he’d scroll through LinkedIn to identify potential engineers and other technical talent who could build Rubrik’s data security platform. He’d then make cold calls and invite them to meet with him and hear his pitch. Because he was often only a few blocks away, he removed the resistance. People could hop on a campus bike to meet him, finding it hard to say no. After an initial meeting, Sinha sometimes got creative, at one point hosting a baby shower to try to win over the wife of a talented engineer he desperately wanted to hire. By the end of his cold-calling sprint, he had assembled the right team to begin turning his vision into reality.

As engineers worked around the clock to build the software, Sinha sat in a room in Rubrik’s Palo Alto offices with his new heads of sales and product marketing. Together, they worked the phones, approaching potential customers with a gutsy pitch: For $3,000, they could get an “early access contract” to Rubrik’s data security solution. The software itself, however, would not be delivered or available for testing for about a year.

The unconventional approach was rooted in Sinha’s conviction that the normal way startups do things — build first, then sell — was too slow. “We wanted to find early believers,” he says. “If someone has to cut a $3,000 check, they have to convince their boss and then go to procurement. It’s a signal that they’re really interested and are likely to later buy a $100,000 product.” Several hundred companies ultimately took Rubrik up on the offer.

With a ready pipeline of potential customers, the company hit the ground running a year later. In 2015, the first proper year of sales, revenues hit $50 million.

“A startup’s greatest weapon and biggest advantage is speed, and this was one of the fastest moving teams I’d ever worked with,” said Greylock partner Asheem Chandna, a Rubrik board director who led Greylock’s investment in the company in 2015.

The following year, a moment of truth arrived. One of Rubrik’s customers was hit with what is likely to have been one of the first ransomware attacks. As Sinha tells it, nearly all of the company’s systems were compromised, except for the dynamic backup of their data that Rubrik had maintained and secured with tightly controlled user access, or what’s known as a “zero-trust architecture.”

“We recovered all their systems in just a few hours,” Sinha says. “It was a huge eye opener for me. We realized we had found the killer use case for backup data.” Rubrik quickly developed a ransomware detection and recovery product, even though, Sinha says, none of the company’s customers were initially very interested in it. “We used to give it away for free.”

Failure is never permanent

Sinha credits his father with seeding virtually all of his ambitions and his propensity for taking leaps into the unknown. “I’m just a spokesperson for his ideas,” he says.

Before Sinha and his younger brother were born, the elder Sinha left a successful sales career at one of India’s largest pharmaceutical companies to start his own pharma venture. He set up shop not in Mumbai (then Bombay), where he’d been living, but his hometown in the state of Bihar. “He wanted to give people in that area jobs and employment,” Sinha says. But the region was one of India’s poorest and, at the time, launching a startup in India without political connections was difficult. The company didn’t make it. As a kid, Sinha remembers his family having little money while his dad worked on a second venture, which also didn’t pan out. The family moved often in search of cheaper housing. At one point, they lived in a basement with no running water.

“After that, when I was about 13 or 14, my dad decided it wasn’t working out, so he got a small job and put his focus on me,” Sinha recalls. “He said, ‘This is my project. I don’t want my kids to have to same fate as I did.’”

A year later, Sinha’s dad encouraged him to apply to IIT, a network of engineering and technology universities that are India’s version of MIT. Friends and relatives thought this was crazy — Sinha wasn’t a very good student. But his dad pushed him, insisting that Sinha had nothing to lose. At the time, admission to IIT didn’t require a high school diploma with high grades, just a score in the top 1 or 2 percent on a qualifying exam. Sinha dropped out of high school to devote himself to studying for the exam – and learning English. On his first attempt, he failed to score high enough. But, after another year of intense study at home, he earned the score needed for admission.

When he graduated from IIT Kharagpur with a degree in electrical engineering, his mother was determined to ensure Sinha would not repeat his father’s mistakes. “Do not start a business. Get a job, get a salary,” he remembers her saying. “She said this every time I talked to her.”

Heeding her advice, Sinha set his sights on a job in the US, where he figured he could make enough money to provide financial security for himself and his family. After a few years coding at IBM in Bangalore, he landed a position as a software engineer at an Atlanta company specializing in PC hardware and firmware. Eventually, he found his way to Oracle, and after climbing through the ranks of the company, he became a venture capitalist. “It took me at least seven or eight years in America to become confident that I wasn’t going to slip back into poverty,” he says.

His father’s aphorisms kept ringing in his head. “He told me that failure is never permanent, and neither is success,” he says.

Your current circumstances are not indicative of what you could become.

Startup growing pains

As Rubrik evolved from a scrappy startup to a cybersecurity leader, Sinha started to spend more time with customers and left much of the day-to-day management to the experienced executives he had hired. It took him a while to realize this was a mistake. Tensions flared between departments and decision making was sluggish. “If you hire people from outside, they often have a hard time taking a lot of risks because they’re all still learning the systems and processes, and they worry about how they’re being perceived,” Sinha says.

To get the company back on track, Sinha brought company leaders together to collaborate in real time and make group decisions. He replaced twice-a-month executive meetings that lasted 30 minutes, with three-hour working sessions each week.

The pace of decision-making picked up dramatically, helping Rubrik succeed in what is now a crowded marketplace for data security and ransomware protection. To keep its edge, the company has been evaluating ways to embed AI more deeply into its platform, using machine learning models to better identify suspicious activity and understand when an attack is happening, while reducing false positives and false negatives. After an attack, Rubrik’s AI analyzes the streams of data to determine the scope of the cyber attack. Rubrik also recently introduced Ruby, a natural language AI-powered assistant that interacts with customers to alert them to potential trouble and then guides their IT staff through the steps of what to do.

As Rubrik enters its second decade, Bipul says he will continue to focus on building an iconic, lasting company, and he’s recruited an elite team to achieve that goal. He enlisted Chris Krebs, the first director of the United States Cybersecurity and Infrastructure Security Agency to chair Rubrik’s CISO advisory board and hired former CISO of the CIA, Michael Mestrovich. He also added Mark McLaughlin, former CEO of Palo Alto Networks to Rubrik’s board of directors and counts NBA superstar Kevin Durant on the list of Rubrik’s investors. Even Sinha would have to admit that sounds pretty cool.