Second Thoughts on an Anti-Whaling IPO

“You don’t rob a bank with a gun anymore; you rob it with an email." — Peter Campbell, CFO, Mimecast
David KatzAugust 4, 2016

Peter Campbell displays a refreshing strain of self-criticism that’s quite rare in a profession where self-promotion is commonly seen as a necessary trait in rising to the top.

Peter Campbell, CFO, Mimecast

Peter Campbell, CFO, Mimecast

Starting with the November 2015 IPO of Mimecast, the email archiving security company where he’s been finance chief for a decade, Campbell says he could have been punchier telling the story of the firm’s advantages to potential investors.

True, it was tough to convey the message of the cloud-based company’s growth potential in its first quarterly earnings reports in the midst of caution in the equity markets and with only a few months of financials to report as a public company.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

Yet Campbell feels he could have done a better job of highlighting the exit of two of its biggest competitors, McAfee and Postini, from Mimecast’s corner of the email security business. And he rues not having made more of the 1,800 new customers added by the firm in the fourth quarter.

In an interview with CFO, however, he revealed that his experience in communicating with investors over the months since the company’s Nasdaq IPO had sharpened his ability to tell its story. In particular, he was touting Mimecast’s “anti-whaling” product — which protects against attempts to hijack the computers of senior executives via email scams — and the firm’s “human firewall” system, which tells users that they might be about to click on a malicious link.

Campbell was also eager to talk about the company’s growth. Headquartered on the island of Jersey in the United Kingdom — a location which provides it with considerable tax advantages — Mimecast recorded about $142 million in revenue as of  March 31, its fiscal year end, compared with $117 million in 2015. The 12-year old international company has 18,000 customers and about 700 employees.

Along with the company’s chief executive officer, chief operating officer, and human resources director, Campbell works out of the company’s Watertown, Mass. office. An edited version of excerpts of the interview follows.

Tell us about the human firewall and your whaling product.
What is quite unique about us is we have what’s called a human firewall. We’ll click up a page and it will tell the user, say, to hang on a second. “You’re about to click on what could potentially be a malicious link. Do you still want to go there?” You have to actively accept it. That message is a real eye opener, and it brings the user in.

Whaling is a phenomenon that we’re seeing more and more. However, there’s still a surprising number of companies that don’t have protection and that fall victim to this kind of scam. It involves attackers trying to trick a company into giving them money or payroll data, W-2 data, or other [information] they can then use. You don’t rob a bank with a gun anymore; you rob it with an email.

What’s different about whaling is that it stems from highly developed social engineering. A lot of companies have their org charts on the web, or the attacker will look at LinkedIn or Facebook to try to understand who’s in the organization, who talks to who, how you can spoof somebody into sending you money. They might find out that the CEO’s away on vacation, and ask the CFO to send cash to the CEO, only it’s not that individual. A lot of times they’re looking for straight cash payments, and it amazes me how many people fall victim to that.

This is an emerging threat, and because of the way our architecture works, we’re able to look at the threat, analyze it, and come up with a comprehensive solution to deal with it.

What particular challenges did you face as the CFO during your company’s first public filing?
Making sure that the story we told was the strength of the business model. And I’m not sure that I always did. The challenge for me was looking at the script, making sure that the script was strong.

There’s a lot of really good news there, really positive momentum for the company. But the market hadn’t been as friendly as it had been a year ago. So for me it was making sure that the story got told well and making sure that people understood the forward signals in terms of products that people had bought from us, the sheer number of customers that we had added. We haven’t even seen the benefits of those in our revenue number yet because we added those towards the end of the year.

Closing out our [fiscal year] were trying to get our first real audit done, announce our earnings in a timely manner, and help people understand just how well the quarter went. That’s a tricky task for a newly public company because you’re not proven yet. People want to see you do that again and again and again before they’re going to accept that you can continue to do it.

How did you go about meeting that challenge?
Not as well as I would have liked. First of all, in highlighting that we added 1,800 customers. There’s some real momentum here.

Another thing that maybe we didn’t talk to as well as we could have is that McAfee and Postini are getting out of the security email gateway business, and we’re seeing that there’s a lot of potential there for us.

I think we told a good story. In certain areas we need to be a bit more punchy in the story. I need to make sure that we are clear and we’re telling the story and answering questions before we get asked them, so people have the information they need about the business to either buy our product or invest appropriately.

What did the IPO mean to you in terms of your career?
I’ve been at Mimecast for a long time, and there’s an expectation that the IPO is some kind of end game for me. It’s not, it’s just a kind of step along the journey. I always liked taking exams in school. So you’re kind of going back to the university. You need to prove you and your company can do that over an extended period of time and that you do what you say you’re going to do and you do it again and again and again. People are watching, and I’m ready to do that.

What are the advantages of being registered in Jersey and how does it affect your job as CFO?
We’re a U.K. tax resident company. Just being a U.K. company is tax beneficial for us, especially the R&D investment tax credit program that they have over there. They give cash back for research initiatives. It’s not only a tax deduction when you’re making money, it’s cash back when you’re still growing and building a business. Instead of a tax credit, where you’re allowed to get a deduction on income, you’re allowed to claim an investment tax credit where they’ll give you a percentage of every dollar you spend.

Let’s say you spend $100, you’d get $18 back as a tax credit on R&D investments. They have to be straight R&D investments and they have to be investments related to research. It can’t be just maintaining a particular product;  it has to be pure research and development of new products.

Additionally, the stock option programs over there are beneficial when you’re a new and growing company. You don’t pay tax on exercise, you only pay tax on capital gains. And depending on your size, the capital gains can be quite low depending on the plan you’re under. Lastly the corporate tax rates are lower than here. To be sure, there is some complexity for a CFO in looking at how you transfer-price and making sure that you’re able to benefit from those lower tax rates.