The Big Interview: Rubrik CEO Bipul Sinha on going from no running water, to running a $500m business
On Magic Quadrants, deal size, changing approaches to cyber-resilience and learning from his father.
“My father was a failed entrepreneur” says Bipul Sinha, without any apparent bitterness. “We grew up in a lot of poverty. We were always moving because we couldn’t pay the rent” he recalls to The Stack, remembering living in a basement with no running water for a while.
He's not disrespecting his parents; rather, responding to a question about where his entrepreneurial hunger comes from. The answer is, in part, simple: Dad, who inspired him with persistence, curiosity and spirit but who couldn’t quite achieve his dreams – yet passed on his ambition.
The softly spoken founder and CEO of cybersecurity company Rubrik was taking a moment to reflect on his career, during a European trip to meet customers and staff of the $500 million revenue company he's built.
Sinha spent eight years working for Oracle, polishing his skills and securing several patents in distributed systems after training as an engineer, before he “got the confidence that I won’t slip back into poverty” he says. At this stage, that doesn’t look likely anytime soon.
Rubrik: The House Bipul Built
Rubrik provides backup and data protection software to help organisations recover swiftly in the event of a cybersecurity incident like a ransomware attack and the company, founded in 2014, has capitalised on a growing recognition that cyberattacks are a matter of “when”, not “if.”
Its CEO says pugnaciously that “The traditional cybersecurity industry almost earns $200 billion per year selling 60 to 80 different tools across hundreds of vendors for prevention. And they have not been able to prevent anything. Ransomware was a reckoning for our industry…”
(EDR’s catching millions of attacks will no-doubt howl at that characterisation with a “it would be a lot worse without us” but phishing attacks continue to slip the net and destructive ransomware attacks rife.)
Business leaders should be focused not just on protection but resilience, with the game plans, training and tools in place for recovery, he says – and a $500+ million annual revenue figure suggests Rubrik’s offering has caught on – despite there being plenty of companies in this space.
Scalable, immutable backups
Rubrik’s genesis came as he looked at some of the issues of existing backup solutions, says Sinha, which a decade ago he says were largely Windows Server-based, “single box” solutions that neither scaled out fast in a world of rapidly growing data, nor were easy to configure.
Rubrik by contrast (which customers can buy pre-installed on commodity hardware appliances for deployment into a datacenter, through single node appliances for use at the network edge, or as a SaaS in the cloud) can scale out immutable data backups to massive enterprise scale – and even recently won a prestigious Red Dot award for its user interface.
The company has also been named a Leader and positioned furthest in vision in the 2023 Magic Quadrant for Enterprise Backup and Recovery Software Solutions, the company says proudly, although its revenue growth has slowed recently amid broader industry belt-tightening.
Rubrik limitations: Work is ongoing...
That Magic Quadrant itself points to some Rubrik limitations however, flagging its “limited SaaS application coverage: Rubrik has limited support of SaaS applications beyond Microsoft 365. Coverage is not yet available for applications such as Salesforce, Google Workspace, Microsoft Dynamics 365, Azure AD, ServiceNow, Azure DevOps and GitHub.”
CEO Bipul Sinha tells The Stack that building out application backup coverage is a priority in 2024, but emphasises that the company can, amongst other examples, already backup workloads running on VMware vSphere, Microsoft Hyper-V and Azure Stack HCI, and Nutanix AHV platforms, as well as a strong mix of relational and non-relational database management systems from SQL Server, SAP HANA, MongoDB, and more.
Others are coming, he says: “We just released our data security solution for JIRA Atlassian. Supporting mission critical SaaS application is our goal. In Rubrik, we have always taken the approach that we want to build a scalable enterprise-ready solution” he says cautiously. “This has its own cadence, because it will make people rely on Rubrik to recover from ransomware… we are on a cadence to deliver most of the SaaS solutions.”
Can he be more specific? How many more enterprise apps will get Rubrik backup support in 2024? “I can't tell you that. But you can assume [some on the] list that you just noted” he says, referring to those The Stack name-checked as missing. “We are going to definitely announce more.”
Despite some bold ploys, including a recent $10 million ransomware recovery warranty for qualifying customers and, unusually, inviting the entire company to board meetings, Sinha has also been cautious. I
If you’re promising to protect mission-critical data, you have to be, he says. It’s taken a carefully-carefully approach to its build, tapping a rather clever custom file system for out-of-the-box immutability and making sure that architecturally, if someone’s Active Directory gets compromised in an attack, the “bad guys” can’t easily pivot to Rubrik backups in a way that has been common, he suggests, with rivals – in part by using Rubrik’s own native MFA system, which is enabled by default, the CEO says.
He adds: “We combined backup software and storage software in a single software. That single software does the function of both. Since we don't have any storage that syncs over the network, people can't discover us.”
(Rubrik has an API-first design that requires authentication to all endpoints that are used to operate it. Any APIs which could potentially cause data removal within Rubrik are also blocked by default. Those needing to get around this need to get privileges granted on a “token by token basis to allow scripts to consume these endpoints.” n.b. For those wanting to take a deeper dive into Rubrik cluster communications, file system and logical layer etc. can take a look at this whitepaper by former Rubrik Chief Technologist Chris Wahl, which captures some details.)
Technology aside, what has the company’s CEO learned on his journey from basement to engineer to entrepreneur? Not all technologists manage to keep a steady hold on the reins as a company scales to $500 million by-annual-revenue level. What stands out for him on that journey?
One of the biggest challenges earlier on, he says, was striking the balance between knowing when to get involved and when to step away from decision-making: As a founder CEO a company is your “baby” and it can be easy to become a bottleneck as a result. Early on, he says, he tried to mitigate this risk stepping away too fast – and found that his more hands-on input was still needed. The company is now past that stage, he adds. Going from being in VC (he was a partner at Lightspeed Venture Partners for four years) where everyone wants you at the table and “comes to you” to to scrambling about as a scrappy startup early on, looking for both funding and early customers was also a culture-shock, if a welcome one; he recalls standing to the side of a portfolio company’s stand whilst still working in VC, handing out cards for his new company, scrapping for every bit of attention from potential investors and buyers.
Meanwhile, he says, the market keeps evolving.
As well as those SaaS backup integrations in the pipeline, Rubrik has also been acquisitive (recently buying data security posture management platform Laminar, for example, which lets customers “automatically find, prioritize, and fix policy violations for data exposure”). Buyer conversations are changing, Sinha says, as cybersecurity becomes more of a strategic priority among the C-Suite: “100% of my conversations in the UK have been with CISOs and CIOs” he says. “Five years ago it was IT Operations… cyberresilience is the future of cybersecurity and you can see how the market is changing by who we are talking to,” he emphasises.
Meanwhile despite organisations consolidating vendors and broader CIO and CISO caution in many quarters around budget allocation, he believes there is a “lot of space in the market; a lot of opportunity. We sell into the higher end of the market, the average deal size for us is $200,000.”
Thank ransomware, thank the bitter experience of organisations that have lost tens of millions recovering from incidents, thank Dad, or thank a clearly thought out proposition delivered cleanly and delivered early, but clearly running water is not going to be a problem, ever, ever, again.