Building a Cybersecurity Startup. Lessons From Illumio CEO Andrew Rubin

Thirteen years later, Illumio has raised $557 million in venture capital, reached a $2.75 billion valuation, crossed $100 million in annual revenue, and serves approximately 20% of the Fortune 100. The company was named a Customers' Choice in Gartner Peer Insights for Network Security Microsegmentation in January 2026.

But none of that happened quickly. In a candid conversation on the Y Security Podcast, Rubin reflected on a journey that included years of doubt, the departure of his co-founder, and the long, uncertain process of waiting for a market to catch up to an idea that was ahead of its time.

His story carries lessons that apply to anyone building a technology company - particularly in cybersecurity, where the dynamics of adoption, timing, and trust create unique challenges.

Start With the Problem, Not the Ambition

Rubin didn't set out to be an entrepreneur. He set out to solve a problem.

"I didn't wake up one day and say, I want to be an entrepreneur," he said. "I woke up and said, I'm passionate about this. I see the world changing. I think it's a problem that needs to be solved. And that led me to my entrepreneurial journey."

The problem was specific: perimeter security had been the default cybersecurity approach for decades, but its track record was deteriorating. Breaches were getting bigger, more frequent, and more damaging. Rubin and Kirner recognized that organizations needed a way to contain threats that got past the perimeter - a category now known as microsegmentation.

This problem-first orientation is a pattern that research supports. A Harvard Business Review study found that startups are "disproportionately more likely to introduce new-to-the-market innovations" when founders have genuine domain expertise rather than a generic desire to start a company. In cybersecurity specifically, the Venture in Security newsletter has documented how "security is purchased in categories, and to innovate in a specific category, founders generally need to have accumulated a solid perspective about the previous iterations of the same category."

Rubin's background - he spent years in sales engineering and product management at Cymtec Systems, a company in the intrusion detection space - gave him exactly that perspective. He understood the market's architecture, its buying patterns, and its failure modes well before writing a business plan.

The Non-Technical Founder Question

One of the more honest moments in the conversation came when Rubin addressed his role as a non-technical co-founder in a deeply technical cybersecurity company.

"By definition, I'm not a technical founder because when you use that term, most of the time it means that you came up, you have your CS degree, you coded, you were an architect, you were an engineer," Rubin said. "By that definition, I am not a technical founder."

He didn't frame this as a limitation. He framed it as a complement. PJ Kirner, Illumio's co-founder and CTO, brought the deep technical vision. Kirner studied Computer Science and Electrical Engineering at Cornell, worked on Juniper Networks' security team, and was the architect behind Illumio's core technology. Rubin brought the domain expertise, selling ability, and go-to-market instincts.

The Harvard Business Review research supports this pairing model directly: "Firms profit disproportionately from a mix of business and technical skills when the founder has technical knowledge and employs additional business experts." Startups with two co-founders see 30% more investment and three times the customer growth rate compared to solo founders.

Rubin's advice for technical founders who find selling uncomfortable: "I don't think it's about becoming a salesperson. I think it's about just rounding out the skill set to get comfortable having both sides of the conversation." He recommended surrounding yourself with mentors who bring skills you don't have and not being embarrassed to ask for help.

Timing: The Variable You Don't Control

Illumio spent its first couple of years in what the industry called "stealth mode" - pre-revenue, building the product, and looking for early customers who understood the problem. Rubin estimated it took seven to eight years before the company reached the inflection point where it felt like a real, durable business rather than a fragile early-stage startup.

"The expression that a number of my mentors have reminded me of - the overnight success story, a decade or more in the making - there's no doubt about it that we're living that journey," he said.

He was explicit about the role of timing. "I think those two words - luck and timing - when you use them in this context, are totally interchangeable. Your luck is your timing."

He argued that the hard work, the perseverance, and the willingness to get beat up are table stakes for any startup. What you can't control is whether the market is ready for what you've built.

"When you ask your new technology to be adopted by a market, the timing matters a great deal because what you're actually doing is asking other people to change their behavior," Rubin explained. "The technology is the easy part. But humans - we're intricate, we're complex, we're interesting. And when you ask someone to change their behavior, that's a very heavy ask."

This is not abstract theory. The cybersecurity market has a well-documented version of this problem. According to research from Venture in Security, "the moment a single founder lands on an idea, there are immediately 2 to 5 other companies starting with the same vision." Being too early means the market doesn't understand the problem. Being too late means the category is crowded with competitors.

Illumio's microsegmentation market illustrates this timing dynamic with precision. Today, 70% of cybersecurity professionals say microsegmentation is essential for zero trust - but only 5% of organizations have actually implemented it. Gartner projects that number will reach 25% by 2027. The market that Rubin and Kirner identified in 2013 is now crossing from early adopters into the mainstream, exactly as Geoffrey Moore's technology adoption model predicts.

Crossing the Chasm in Cybersecurity

Rubin referenced Geoffrey Moore's "Crossing the Chasm" - the framework that describes how technology products must bridge the gap between visionary early adopters and the pragmatic mainstream market - as a model that became central to Illumio's strategic thinking.

"I'm a huge fan and definitely more of a fan now than ever before of Moore's adoption curve," he said. "I certainly knew what it was pre-Illumio. I never really understood how critically important it is."

Moore's framework divides the market into five segments: Innovators (2.5%), Early Adopters (13.5%), Early Majority (34%), Late Majority (34%), and Laggards (16%). The chasm sits between Early Adopters and Early Majority - the point where a technology either breaks through to mass adoption or dies.

Illumio lived this framework in real time. Their early customers were predominantly in financial services and large tech companies - industries that are historically security early adopters. "Instead of only selling to a couple of industries that are always security early adopters, all of a sudden we saw airlines and transportation and logistics," Rubin said. "We were always selling to very large global enterprise. Suddenly we were selling to commercial enterprise."

That diversification was the signal that the chasm was being crossed.

Cybersecurity has a unique wrinkle in this model that the Venture in Security newsletter calls the "inverted chasm problem." In most industries, small and mid-size businesses adopt first and large enterprises follow. In security, it's reversed: large enterprises with sophisticated security teams adopt first because they have the resources and the urgency. Getting from Fortune 500 early adopters to the broader market - commercial enterprise, mid-market, and eventually SMBs - is where many cybersecurity startups fail.

The Hardest Moments

Rubin didn't shy away from the difficult parts of the journey.

The hardest single conversation, he said, was when his co-founder PJ Kirner decided to leave Illumio. "When PJ decided that after a long time, he was ready to be done and he wanted to go back to a room with a couple of folks in true startup mode and start another journey from a whiteboard all over again, that first conversation was definitely one of, if not the toughest conversations."

Rubin described a co-founder departure that many founders dread but rarely discuss openly. The two had been "brothers tied at the hip" through every phase of the company. But Kirner's instinct was right - he wanted to return to early-stage building, and Illumio had matured past that phase. "His gut and intuition, first of all, was wildly ahead of mine," Rubin said. "And it was incredible how well it worked out all the way around."

The other difficult constant: letting people go. "Having to let somebody go never gets easier and is always going to be, at a human level, the hardest part of the job," Rubin said. He framed it not as a leadership technique but as an honest accounting of the emotional weight that comes with running a company.

The Proudest Inflection Point

When asked about his proudest moment, Rubin didn't point to a revenue number or a funding round. He described a gradual realization.

"There was a moment where we woke up and realized the company was bigger than any of us," he said. "If for whatever reason I was not at work tomorrow, Illumio is Illumio. The board will do its job and find the next CEO. The company, because of what we've built, because of what we've done for our customers, became bigger than anybody and everybody."

He contrasted this with the early days, when losing a single team member could threaten the company's trajectory. "In the early days, we always had that feeling like, wow, we really hope so-and-so doesn't leave because we don't know what we would do."

Getting from that fragility to institutional resilience is, in Rubin's view, the defining achievement of a startup that survives. Not a revenue milestone. Not a valuation number. The moment when the company becomes an institution.

The Cybersecurity Startup Landscape in 2026

Rubin's journey unfolded against a cybersecurity market that has grown into one of the largest and most active sectors in technology.

The numbers tell the story:

• $213 billion was spent on cybersecurity globally in 2025, according to Gartner, with spending projected to reach $240 billion in 2026.

• $14 to $20.7 billion was invested in cybersecurity startups in 2025, up 47 to 52% from 2024, making it the strongest funding year since 2021 (SecurityWeek, Crunchbase).

• Early-stage funding (Series A and B) surged 63% year over year, driven largely by investor enthusiasm at the intersection of AI and security.

• There are now 75 cybersecurity unicorns with a combined valuation of approximately $229 billion.

• Cybercrime is projected to cost the world $10.5 trillion annually, according to Cybersecurity Ventures - which, if measured as a country, would make it the third-largest economy after the United States and China.

But building in this market comes with a unique challenge: the cybersecurity talent gap. ISC2 data shows a global workforce gap of approximately 4.8 million unfilled cybersecurity roles, with 67% of organizations reporting staff shortages. The 2025 ISC2 Workforce Study found that 59% of respondents identified critical or significant skills shortages within their teams, up from 44% in 2024.

This talent scarcity cuts both ways. It makes building a cybersecurity company harder - hiring is intensely competitive. But it also validates the mission-driven nature of the work that Rubin described. "There aren't a lot of folks who decide to spend their career in cybersecurity who don't have some part of that decision be driven by more of a mission-driven attitude," he said. "It's not just the job itself, but it's a desire to try and actually participate in what is definitely a very real war nowadays and be on the good side."

Lessons for Founders

Rubin's thirteen years building Illumio distill into a set of principles that are practical rather than aspirational:

1. Fall in love with the problem. The entrepreneurial journey was a consequence of caring deeply about a specific problem, not a goal in itself. Domain expertise and genuine passion for the problem space are the foundation.

2. Find a co-founder who complements you. Rubin (business and go-to-market) and Kirner (deep technical architecture) built a company that neither could have built alone. The research confirms that complementary co-founder pairings outperform solo founders and same-skill-set teams.

3. Accept that timing is the variable you don't control. Do the work, build the product, persevere through the tough years. But understand that market readiness is not something you can force. You can influence it, but you cannot manufacture it.

4. Study the adoption curve. Knowing where you are on Moore's technology adoption lifecycle - and understanding the specific dynamics of the chasm in your market - can mean the difference between strategic patience and blind hope.

5. Build for resilience, not just growth. The proudest inflection point wasn't a number. It was the realization that the company had become an institution that could survive the departure of any individual, including the founders.

6. Learn from every mistake. "We're going to make mistake after mistake," Rubin said. "The only two requirements are: learn from every one you make, and try not to make the same one again."

7. Selling is not a dirty word. Whether it's recruiting talent, raising capital, closing customers, or explaining your vision - everything is selling. Getting comfortable with that reality, especially for technical founders, is essential.