Interviews 21.08.2023

Getting to know: Marten Mickos

The CEO of HackerOne delivers huge growth and controversial opinions. He loves hackers, but hates cybersecurity. Eleanor Dallaway got to know Marten, and so should you.

Eleanor Dallaway meets Marten Mickos, CEO of HackerOne, an absolute whirlwind of a man. Excruciatingly candid and unshakable in his pursuit of category leadership, Marten’s love of HackerOne is matched only by his disdain for the cybersecurity industry. Whether or not he’s your cup of tea, Marten is sure to leave an impression…

Confession: It’s not often that I change my opinion of someone. It’s even rarer that I do it in the space of an hour. But on an uncharacteristically sweltering day in London, I met Marten for the first time, formed an opinion, changed my mind, and later settled on a totally different viewpoint as I bring this interview to life several weeks later.

Let me take you back to June and the Charlotte Street hotel brasserie…

Marten arrives late and is somewhat agitated, which, it transpires, is a result of being late. “I’m never late. I’ve been here the whole time waiting in the lobby,” he says, somewhat put out by the breakdown in communication between himself and his PR team, who are already seated at the table with me. There’s a quick exchange between them where they discuss what time he needs to leave to get to his next meeting, “that won’t be enough time; I refuse to be late,” he says in response to their suggestion, and I hide the grin that threatens to escape due to the irony of his statement.

“Cybersecurity is a terrible industry where everybody is a white, middle-aged man, pontificating and mansplaining to the world”

Here’s the truth: at this moment, I accept that I’m not going to be Marten’s biggest fan, and I resign myself for 48 minutes of stilted conversation. But one or two questions in, and Marten’s entire demeanour shifts. Maybe it takes a while for his frustration due to tardiness to fade. Perhaps I have to prove myself with questions he deems worthy. Or maybe his passion as he talks about HackerOne brings out his softer side. Possibly it’s a cocktail of all three. Whatever was responsible for the shift, I watch it with fascination and gratitude.

Marten is abrupt, unapologetic in demeanour, and oozes charisma. He is tall in stature, loud in speech, and relentless in pursuit of success. “I want to make sure HackerOne is the best, brightest, most beautiful, most innovative, most creative, and strongest company on the planet,” he tells me, utterly stoic. “I want us to be a category leader, and I want to achieve that status, so people can come to me and say, ‘Marten, you did it!’. I want to win, and for me, winning is having brought into the world a category that’s unique and lives on.” Humble? No. Honest? Absolutely.

Marten joined HackerOne seven years ago when there were 50 employees and $0.5m in sales. Today, the company boasts 450 staff (“Can I exaggerate and say 500?” he laughs) and reportedly around $100m in sales. That noted, Marten quickly points out that he’s not a numbers guy. “Many CEOs will just look at the numbers. I don’t. If you are changing society, it’s not about the numbers; it’s about making the world see the value in what you do. In my soul, numbers don’t occupy an important place.”

“Cybersecurity is a terrible industry”

A self-confessed “sucker for early-stage start-ups with unlikely and complicated business models”, Marten admits that the attraction is “building something that nobody else can. It’s an ego thing,” he confesses. Bill Gurley, a venture capitalist, proposed HackerOne as the ideal start-up for Marten. At first, he was reluctant. “I didn’t want to do cybersecurity because the people are cynical, negative and nit-picky, and I can’t handle that,” he says scathingly. But he was sold when he met the founders (two Dutch men that moved to San Francisco and made a business out of hacking companies). Of the founders, he says: “They’re kind of like my sons. I’m more experienced, but they’re way smarter, so it works well.”

Have you changed your mind about the industry in your seven years in it? I ask Marten. He skips a few beats. “I think I was right,” he says. “It’s a terrible industry where everybody is a white, middle-aged man, pontificating and mansplaining to the world why we need firewalls and anti-virus to save everybody. It isn’t working; it’s costing a lot of money, causing stress and failing to produce wholesome security and the security culture we need. There’s no single product in the universe that will save you.” Well, that clears that up, then. His honesty genuinely takes me aback. I ask him what needs to happen to fix this, and he offers three suggestions: increased diversity, transparency, and lessons from the aviation sector. “We must learn blameless retrospection and intelligence sharing.”

Throughout the interview, Marten makes several references to adopting a positive spin on security. “Everyone else in the industry is an ambulance chaser, saying, ‘if you don’t buy our product, you’ll suffer’. I knew we had to be a different player. We say, ‘do this to be more successful, sleep better, and be happier’”. It’s a positive sell that Marten admits that some may view as “juvenile, romantic or idealistic. But it’s also why people like us. We have a fresh approach; we’re not just boring people who look alike. We have diversity in every dimension and represent the future as nobody else does.”

“Hackers travel back in time to rescue us”

Representing the future is one thing; representing the hacker community is another. “To earn the trust of hackers, you have to be a little bit like them; you have to represent them well. I believe that hackers come from the future. They have seen what the world will look like ten years from now, and they’re travelling back in time to rescue us and put our software into shape.” He says this completely deadpan.

“When I first came on board, we had a boring blue website that looked like HP’s. I said, ‘We can’t do this, we are a start-up and have to fucking show our true colours.’ I chose to replace the blue with pink. One of the board members thought I was destroying the company. The feisty part of me came out, and I doubled down on pink,” he laughs. “Now everyone loves it.”

Marten contends that the HackerOne name itself is potentially a brave decision. “We put it right in your face. [Using the word hacker] means there are many we can’t sell to yet, but we just have to wait for them to mature into understanding it.” Marten believes that government guidance and mandate will speed this process up. “Governments are at the forefront, declaring cybersecurity a priority and demanding that organisations take responsibility.  The latest CISA strategy talks about radical transparency. This is wonderful,” he says.

I ask the difference between the organisations they manage to onboard as customers and those they don’t. “Those who become our customers care about security more than compliance, those who don’t care more about compliance. Oh, and those who become our clients care about their reputation.” He proudly lists some HackerOne clients as examples: Goldman Sachs, Starbucks, Zoom and Hyatt Hotels are just some that roll off his tongue. “And here’s the truth,” he says, “our customers fare better than other companies. Stock price goes up, and breaches go down. Others will catch on, but until then, we patiently wait for even the last bastions to fall.” He says this smugly, with a twinkle in his eye and a grin.

I ask Marten to share his thoughts on in-house bug bounty programmes. “I don’t care,” he shrugs. “Our mission is fulfilled either way. But think of it like a watch: Anyone can read a watch, but only the Swiss have the patience to build one. We just took over Mozilla, one of the pioneers of the bug bounty world. If you run your own bug bounty programme, you have to deal with hackers, which means dealing with people with strong opinions and emotions.

“We know how to calm them down, love and listen to them. We are servants of them, they’re the ones doing the job, and we have the privilege of hosting them.” But surely sometimes Marten has to make decisions they don’t like? “Yes,” he contends. “We don’t follow their orders, but we do serve them.”

“I think of my investors last”

When it comes to taking orders, Marten doesn’t take them from investors either. “Many CEOs think first of their investors, but I think of them last. Here’s my logic: If I take good care of our employees, they take good care of the hackers, who will take good care of our customers. When that happens, customers give us their money which, in turn, takes care of our investors.”

Marten describes company culture as one of his two focus areas

His logic is fair. The alternative? “If I go straight to thinking about the investors, I will become an arrogant, cynical, transactional and greedy CEO. We would lower the offering for hackers and take the money for ourselves, ultimately compromising our success. That’s why investors have to be last on the list.”

After a pause, Marten smirks. “The venture capitalists already gave us their money anyway; they can’t take it back,” he laughs. “They can fire me, of course, but that’s happened several times, and it doesn’t bother me any more.”

Throughout our time together, I notice that Marten reveals little in the way of plans, objectives or desires. I can’t figure out whether this is strategic. “I don’t have objectives, I’m just the CEO,” he chuckles, failing to expand. “I don’t have a career plan, I’m working on HackerOne,” he later retorts when I invite him to share future aspirations.

“Are you a live-in-the-moment person?” I ask him, bewildered by his non-committal answers. “No,” he responds, “but I am an all-in person. So right now, there is just HackerOne, and I’m sacrificing everything else, including friendship and spare time, to be a category leader.”

While he denies objectives, he reveals his two focus areas: the vision for the future and company culture. On the latter, he emphasises the importance of building trust through transparency. “Of course, HackerOne’s role in the world is to build trust between two groups of people (hackers and organisations) that don’t trust each other,” he says, noting the synergy.

“If you look at the sun, it will burn you”

The one ambition he consistently and steadfastly references (despite not offering it as an answer when I question his objectives) is category leadership. “It’s what I truly care about, and I’m unsentimental about how that manifests itself. But if we go public, I’ll be delighted because I think that’s the best path.”

Marten believes HackerOne has the ingredients of being a public company but disagrees with making postulations “because thinking about the exit blinds you. It’s a bit like the sun,” he explains, “we can’t live without it, but you should never look at it directly. It gives us energy, but if you look right at it, it will burn you.”

Marten’s lack of sentiment seemingly seeps into his personal life too. Born in Finland, currently residing in San Francisco, Marten shakes his head when I ask him where he considers ‘home’. “I don’t know why people ask that question. Wherever I go is my home,” he bemoans.

Marten’s passions outside of Hacker One include hiking, reading, skiing and sailing

When I ask about his passions outside of work, he looks almost confused at the question, as if there is no life beyond HackerOne. “My main hobby is sleep. My second hobby is to dream about glorious things.” He looks at me, checking whether this answer has been accepted. It hasn’t, and I press him for more. “I hike, ride my bike, sail, ski, read,” he lists. He also has a penchant for mentoring start-ups and female leaders. And as a ‘bet you didn’t know this’ bonus, Marten has also been appointed an honorary counsul of Finland to issue emergency passports “and do secret things” in his spare time.

As I wrote right at the beginning, Marten challenged my confidence in my ability to make a quick character judgement. Don’t get me wrong, that initial read of Marten as brash, abrupt and somewhat arrogant wasn’t entirely incorrect, but those traits are somehow draped in an impossible charm. I warmed to Marten and found his unapologetic conviction in his sentiments and dogged pursuit of success enchanting. You know where you stand with Marten, and that’s an underrated quality.

After Marten leaves, his PR team tells me that his animation, excitement and recurring grins throughout the interview were a sign that he’d really enjoyed our conversation, which I appreciated. The sometimes-abrupt responses could have left me uncertain. As I said, Marten is a whirlwind, and until the reassurance from those that know him well, I wasn’t sure which way the wind was blowing.

I’ll leave you with Marten’s quote: “If you’re successful, you do whatever you like. If you’re unsuccessful, you do what somebody else likes – it’s that simple.” Given that Marten is not the type of guy to tolerate doing what somebody else likes, he has no choice but to continue to be the impressive and successful leader that he is. And that is something I have utter confidence in him doing.

Marten Mickos on the cybersecurity industry

  • “The biggest problems in the world are created by humans, but the biggest solutions in the world are also created by humans.”
  • “If software is the expression of human intent, then we must govern the way software is built.”
  • “Let’s learn from aviation. If you become an aviation engineer, you have to study aviation safety. You don’t need to study anything to become a computer science engineer. How can that be?”

Latest articles

Be an insider. Sign up now!