Tom Leighton’s path to co-founding a business was an unusual one. He was a professor of Applied Mathematics at MIT, and a collaboration with a student, Daniel Lewin, produced a means of commercializing Leighton’s research into freeing up web congestion using applied mathematics and distributed computing.
Tragically, Lewin perished on American Airlines flight 11 on September 11, 2001. Leighton would go from Chief Scientist to Chief Executive Officer of Akamai in 2013. The company’s revenue has more than doubled in the interim, and the largest source of the company’s growth has been its push into cybersecurity. The company’s focus is cybersecurity at the edge. He envisions a day soon when companies will ditch their firewalls en masse. He explains his rationale in this wide ranging interview conducted at an InspireCIO event in Washington, DC.
Peter High: Twenty years ago, Danny Lewin and you founded Akamai while you were a professor of Applied Mathematics at MIT. The path from academics to the startup world was not a well-hewn one. What was it about this idea that drew you to entrepreneurship?
Tom Leighton: Danny and I had no experience in business, so starting a company was the furthest idea from our minds. However, there was a business plan competition at MIT’s Sloan School, and Danny, who was my graduate student at the time, was worried about going broke from student loans. Danny’s next door neighbor told him that the competition had a $50,000 prize, which just about matched Danny’s debt. What Danny did not know was that the winner received only $35,000 of the prize and that he could not use the earnings to pay off his student loans. However, that motivation got us into the competition. We rented books from the library to prepare, but since we had no business experience, we [read] “Business Plans for Dummies”. Throughout this process, we became interested in how the technology we worked on in the lab could make a difference with web congestion, making the Internet faster. As part of the competition, we met potential customers, experts in the industry, and experts in business. We learned a great deal throughout, one idea led to another, and we started the company 20 years ago.
High: You were originally the Chief Scientist of the company. What did that role entail?
Leighton: The role is similar to being a CTO, but Danny was the CTO. The first question we had to answer was who the CEO was going to be, and since I was the professor, and he was the student, he told me that I should be the CEO. In response, I told him that I had no experience in business, and therefore, there was no way I could do it. I instead suggested that we find a CEO with real business experience. Danny was a brilliant mind, a Captain Elite in the Israeli Defense Forces, and a fantastic leader, so my other idea was that he could be the CEO. However, Danny agreed with my first proposal, so we made a fantasy list of potential CEOs. George Conrades, who was the number two at IBM for many years, became our first CEO, and Paul Sagan became our second CEO when George departed. Between the two of them, we were fortunate to get some experienced leadership.
High: How did you gain the business experience that allowed you to eventually step into the CEO role yourself? What mentors did you leverage along the way to ensure that you had the appropriate experience to rise to the role?
Leighton: As a co-founder on the technical side for a technology company, I worked closely with George and Paul. Over those 13 years, I learned a great deal from them, which helped me be ready to step into the role. When Paul decided he wanted to retire, I told the board that I would be interested in becoming the CEO. To this day, George and Paul are both great mentors for me.
High: When you became CEO, security was not what the organization was known for. Today, over $700 million of your revenue comes from security, and it is the fastest-growing portion of your portfolio. Can you talk about the pivot from your traditional founding areas to a fast-growing security offering?
Leighton: We tried to commercialize our security capabilities for a long time, but we were not successful. In fact, our roots in security go all the way back to 2001, several years after we formed the company. That summer, the Code Red virus was released, which was partially designed to attack the White House infrastructure on the Internet. While we had no government or security business at the time, the President’s national security advisor, Richard Clarke, showed up at our Cambridge headquarters. We did not know him, but he somehow knew us. He informed us that there was going to be a massive attack on the White House internet infrastructure in two weeks, and he believed that we could help him. Somehow, they figured out that we had a large-edge network with a large number of servers close to where the users were and where the attacking bots were. He felt that if the traffic was directed through us, that the network had enough capacity to filter out the attack and protect the core. We agreed, and sure enough, it stopped the Code Red attack against the White House, which gave birth to our government and security business.
However, it took over a decade for the commercial world to appreciate the challenges they were facing with DDoS [distributed denial of service] attacks, application layer attacks, and the loss of their private data. Specifically, the attacks from the Middle East on the North American banking system became concerning. No matter what product they bought, they could take banks offline, which was the wake-up call that enabled us to get going. The banks would turn to us, and we kept them online. This problem started our security business in 2012, and within a few years, it will be our largest product area.
High: You just alluded to better protection of the edge, which is an area of emphasis for you. You have been putting more dollars into this area, and it has become a way that you protect Akamai itself. As a result, the first customer is your own company. Can you talk about that evolution?
Leighton: We have always believed that the best way to deliver content and protect assets on the Internet is through what we call an edge platform or edge network. The traditional cloud and data centers are in the core or the middle. There are a limited amount of big cloud data centers, and they have big transit pipes coming into them. However, the capacity there is quite small. The vast amount of capacity on the Internet as the last mile connections into homes, offices, and schools is at least two orders of magnitude bigger than at the core. This creates a problem when you want to deliver content because if everybody is watching an event, that creates a great deal of demand out of the edge, especially now that so many countries have strong last mile connectivity. As a result, the core gets swamped, which is what we looked to solve when we started the company 20 years ago. By delivering from the edge, we can have huge scalability and provide great performance.
The same is true of security. Today, there are billions of devices in homes and offices that are not adequately secured. These people have access to a large amount of bandwidth because the last mile connections are strong. In fact, they now have good CPUs of the full communication stack, so as a result, the bad guys can take them over. We are seeing many [talented hackers] co-opted into bot armies, and the attacks they are currently launching are measured into the low single-digit terabits per second. While this may sound small, that is enough to wipe out any cloud data center, which can be the backbone of many countries. While the U.S. does not bear the same risk, if you direct the traffic appropriately, you can isolate the country from the rest of the world. That damage is a fraction of what could be done with the attacks we will see in the future. The only way to stop these attacks is to absorb it out at the edge. This was the same thesis we had when Richard Clark visited us in 2001 and said, “We have a problem, and we think your edge architecture can help.” I believe this thesis is even more relevant today.
High: One of the unfortunate realities is that the bad actors are quite innovative themselves. Therefore, it is crucial to stay current to the new approaches that they are developing. How do you do that?
Leighton: The bad actors consist of major governments that are incredibly well funded, they are highly motivated, they act with autonomy in many parts of the world, and they have access to immense talent. Because the adversary is capable, we invest substantial time in both defending ourselves and building products to defend our customers, which consist of governments, banks, media organizations, and commerce companies. Bringing products to market to stay a step ahead requires a tremendous amount of innovation, investment, work, and development. Furthermore, we acquire startups, and they sometimes have clever ideas that we can bring into our platform to help our customers.
High: At the RSA Conference, your Chief Security Officer delivered an address that was titled, “How do I get my company to ditch the firewall?” Do you foresee a reality where that is possible?
Leighton: While it will not happen overnight, the firewall’s time has passed. Every time you see the latest headline about some breach, you think it cannot get any worse. The next morning, you wake up and see that the latest headline is about another massive breach. These breaches are not because the CIOs or CISOs are stupid and careless; they are smart and hardworking people. Unfortunately, it is hard to defend against attackers because if the slightest error occurs, you are dead in the water because the adversaries are extremely well-funded. No matter how much you train your employees, they are going to go to the wrong website and click on the wrong link. As a result, they will get malware on their devices, authenticate themselves with the VPN at the network layer, and the attackers are going to be allowed into where the goodies are. Once that happens, the malware spreads within hours. On the flip side, it takes months, at best, to catch this. There is no way the firewall defense works anymore because you have to treat your internal applications and employees the same way you would treat external facing apps. You have to check each application, and you absolutely cannot let your employees have direct connection to your internal apps, which, unfortunately, is how it works almost everywhere today. Instead, you have to have the full security suite between all communications so that an employee or device inside is not allowed to touch anything else inside. This essentially means you have to pretend the firewall is not even there because it is not helping. It is called zero-trust because you cannot trust anything, so everything has to be treated as if it is out in the world at large.
On the bright side, there are now capabilities to help with this. We can use the same type of solutions that we are using to protect your websites and applications as they go to the outside world and bring that to bear internally. Specifically, we can do authentication at the app layer to provide a zero trust architecture. A decent fraction of our employees no longer use the VPN, and by the end of next year, none of them will use it for our internal applications. I believe we are going to see more of that happen. As a result of this similar approach, companies will save money because they will no longer have gigantic private network costs, and they will not have to be fortifying massive data center build-outs. These data center build-outs are coming too late because the volume of attacks can swamp them. Soon, it will all be in the cloud in a much more secure way.
High: What are some of the areas and trends that excite you as you look to the future?
Leighton: We have made a huge investment around security, and as I mentioned, it will become our biggest business in five years. I believe that In five years, most people will not have traditional firewalls, but change sometimes moves slower than technologists predict.
There is a great deal of interest in blockchain, especially in foreign governments. There is an interest in making sure that governments get their tax revenue with the move to digital currency, and they want to slow down the black market.
There is a big challenge with IoT as billions of devices are not secured. Our goal is to funnel communications from those devices into a security layer to keep them from doing damage and help protect them from getting infected.
Lastly, identity management is an interesting area going forward from both a security and privacy of information perspective.
High: As a large organization, how do you maintain an entrepreneurial spirit?
Leighton: You have to work extremely hard at it and make it a top priority. When you are a startup, it is obviously easy to have an entrepreneurial spirit. However, as you grow larger, invariably red tape comes in, bureaucracy arrives, people get nervous about presenting a crazy idea, and there are more people who can say no. Because of this, you must put a major emphasis on giving good ideas oxygen, helping those ideas grow, and having mechanisms to develop them. There is no shortage of people who have good ideas at Akamai. In fact, there are more good ideas today than there were when we started because we now have more smart, entrepreneurial-minded employees. That is not the issue as the trouble is with the infrastructure around these people. To counter this, we have made major efforts to stay innovative.
We have a company-wide business plan competition, which is how Akamai started in the first place. This year, we had roughly 800 entries, we put them up on a wiki so employees can contribute to each other, senior management judges the competition, and we fund the ideas that win. This competition has made an impactful difference in the past as the winners have started business lines for us. For example, part of the zero-trust idea that we began several years ago came out of this competition.
We have tech jams in every one of our major offices. Most recently, we had a tech jam in Cambridge where anyone can take 48 hours to code whatever they want. This is then presented in a science fair, the executives will judge, and we name winners. We saw some amazing ideas, and even ideas that do not win can end up getting implemented. I recently judged a tech jam in Tel Aviv, and they have some great work going on in security. These tech jams are a great way for creative ideas to get exposure and become implemented. In order for this to be successful, the ideas have to be put into place and the senior executives have to engage. This is critical because if you do not keep up in tech, you can be dead before you realize it.
High: As CEO, you have worked with a number of CIOs as customers, and you have had your own CIOs. How has the relationship between the CEO and CIO evolved over the years? Furthermore, how do you see the value of the CIO position evolving?
Leighton: Part of the evolution has to do with the digital business transformation. Because the world is moving at such a fast rate, the CIO role is no longer just about keeping the lights on. Instead, the role is centered around moving the company’s infrastructure forward so the organization can be more effective. At Akamai, we are drinking our own champagne as our business is often the first to use our new products. We do it in a safe way, and the deployed platforms are always kept separate from our internal employee infrastructure. We try out the new products and get the feedback to the product teams early. That is important for us because we are the test case for what we are going to be selling to our customers, so it is great to get that feedback from the CIO organization. The CIO is a major business partner in a variety of ways at Akamai.
High: Tragically, your co-founder Danny Lewin passed away in the 9/11 attacks, three years after the organization’s founding. Can you talk about how you recovered from the loss of somebody so important?
Leighton: Danny was the heart and soul of the company, and for him to be killed on September 11th was devastating. To make matters worse, there was chaos throughout the country that day because people were desperate for news. When you have big events such as 9/11, many of the bad actors come out in force. As a result, many government sites were attacked, so it became even harder to get the news out. These organizations had to work with the massive amounts of people looking for information while having to deal with the attackers. Because of this, September 11th was the biggest day in terms of the need for our employees to help our customers. While we were dealing with tremendous grief, we had to work three times harder to help our government customers get online. Because of the emergency integrations, many government organizations became customers that day. We had to help them withstand both the legitimate traffic and the attacker traffic. This represented a brutal time period for the company. In some ways, we were able to fulfill Danny’s vision by helping many government sites, but the dot.com crash followed. Over the next few years, we laid off two-thirds of our employees, and we nearly went broke. Likewise, many of our customers went broke, so this represented extremely dark days for the company. These tough times is where the character of the people that worked at Akamai carried the day. The technology was great, but it was the people who withstood all that adversity and worked extra hard to bring the company through that period that made the difference.
High: As someone who still works at MIT, could you talk about the enterprise to university relationship?
Leighton: I believe that having strong relationships with academic institutions can provide tremendous value for a technology company. Much of the talent is coming from [universities], there are folks doing research there, and there are many innovative ideas in that space. At the same time, I believe the tech industry can help academics. Academics are looking to work on relevant problems, and we have some massive challenges on the corporate side, especially with cybersecurity. A great deal of work needs to be done there, so Akamai has a close relationship with several universities, including MIT. In our case, our headquarters is a block away from MIT, so there is a great deal of back and forth. Every other fall, I give lectures at MIT, which provides me a chance to bring the real world to the classroom. While being a CEO is more than a full-time job, having a close connection is worthwhile. Having that education is what I do instead of serving on other corporate boards, which is what most CEOs do.