The Hacking Economy

Inside a cybersecurity start-up

I first met Ainsley Braun and Michael Borohovski at the RSA cybersecurity conference in 2013. A CNBC producer and I were sitting in a packed lounge area inside San Francisco's Moscone Center, surrounded by conference-goers clutching coffee cups and pitching business opportunities to one another. Ainsley and Michael were sitting at the next table.

We were there to meet with the execs of another tech company, who walked us through an elaborate PowerPoint presentation about their new cybersecurity technology, much of which seemed very similar to everything else every other company was pitching. When the execs got up to leave, Braun and Borohovski leaned over and said they couldn't help overhearing that we worked for CNBC. "We just found a flaw in your website," they said. "And we can tell your tech team how to fix it."

KTSDESIGN | Science Photo Library | Getty Images

That got my attention. These two young hackers had identified a flaw in a large corporate site put together by top-quality professionals? It's the same feeling executives across the economy feel when they get the bad news about security flaws in their sites. And it was a great sales pitch: Braun and Borohovski tapped into my fear and offered to sell me something to fix it. That's the cybersecurity gold rush in a nutshell.

Read MoreMeet the NSA's hacker recruiter

In September, Research and Markets estimated that the global cybersecurity industry will grow at a compound annual rate of 4.62 percent from to 2014 to 2024—a rate that's driven by the headlines we all see about hacks at the likes of Target, Home Depot and JPMorgan. Companies are scrambling to buy more protection for their systems, sparking a wave of new business opportunities for cybersecurity firms.

Smart, aggressive young entrepreneurs like Braun and Borohovski are starting up new companies to take advantage of the surge in demand and offering new solutions to companies struggling to keep up. Their small company is called Tinfoil Security, and it is based in modest offices in Palo Alto, California, sharing the complex with two dentists' offices.

Braun has two degrees from MIT and worked at Booz Allen prior to launching her start-up. Borohovski also went to MIT, and says simply that he did "defensive software security in the D.C. area" before launching Tinfoil.

Read MoreFive ways to protect yourself from data breaches

I caught up with them recently to find out what life is like inside a cyber start-up. What follows is an edited transcript of that conversation.

CNBC: What's the difference being a cybersecurity start-up versus every other start-up out there?

Braun: I'd say there are quite a few differences. Not only do you have to worry about your own security, you have to worry about the security of all the other companies that are your customers. So there are lots of different things that you have to think about, not only in how we secure data, which is first and foremost on our mind. We also have to look at all new technologies to see how our security service can be more applicable to the world than [to] … the older companies that are 10 to 15 years old.

Read MoreWatch out: iOS 8 autocompletes your password

CNBC: Ten or 15 years old is an old company?

Braun: It is in security. Security is always changing.

Borohovski: It's also a different type of growth. When the Yo app was trying to grow, they were trying to make it as viral as possible. When you're an enterprise business-to-business company, we're spending all of our time growing by making actual sales and talking to people and so forth. It's a little bit less viral than Yo or any of the others.

CNBC: What is the start-up climate in the cybersecurity industry now?

Borohovski: You know, I think the appetite is very high. There's a lot of news nowadays about cybersecurity breaches, and people are more concerned about security and breaches than ever before. It's easier to find funding, and it's a little bit easier to make sales. At the same time, I don't know that it's necessarily any easier to actually build or found a security start-up. Because I think the level of effort it takes is always going to be high. It's just difficult to start your own business and start one that matters and that actually solves a real problem that people are having.

Read MoreHow to tap the braintrust on cybersecurity

CNBC: It seems like one of the biggest problems with being a start-up in cybersecurity is that people don't know who you are, and you're asking them to trust you with their most important data.

Borohovski: Yeah, I mean, that's where solving a real problem comes in. I mean, if you can show them—despite the fact that you're unknown and new and relatively smaller compared to any of your competitors—if you can show them that you're solving a real problem that they're currently having and can help them prevent breaches. That, coupled with any sort of pedigree or history or proof that you know what you're talking about, can really be beneficial.

Read MoreThis app promises to keep your pics from hackers

CNBC: So what's your sales pitch?

Braun: We scan websites for vulnerabilities. That's kind of the high-level security piece that we do. We are the best Web application scanner on the market. Our goal is to make it extremely easy to find vulnerabilities and fix vulnerabilities. Our goal right now is actually targeting developers within companies, because security teams are getting extremely overwhelmed by all the vulnerabilities that are coming into the company. Companies and websites are changing every single day, so you can see new content, new versions of websites pushed out daily or weekly. And with every new code change, you're potentially introducing new vulnerabilities. And a lot of times developers aren't getting the security training. So it's the security team who has to deal with all the vulnerabilities that are being introduced to the companies. And our goal is to actually train those developers with our tool so that not only are we finding those vulnerabilities but we are helping them fix the vulnerabilities as quickly as possible.

CNBC: What advice would you give somebody who wants to start up a cybersecurity company right now?

Borohovski: Be very, very careful, and be judicious about what you say and don't say. [With] financial services or anything that's dealing with medical—anything that's dealing with really sensitive and important data—it's incredibly important to be very sensitive to what your customers want you to say and what they don't want you to say.

CNBC: Tell me the story of how you came to found Tinfoil Security.

Braun: Borohovski and I were both working in the D.C. area for the government contractors and whatnot. But what we were noticing is, we found quite a few vulnerabilities on websites. So we would get in touch with founders, CEOs, CTOs—anyone who would actually be able to control the website. We would disclose the vulnerabilities of them. Usually within half an hour, we get an email back, saying, 'Thanks for the heads up. We fixed the vulnerability.' And usually they didn't actually fix the vulnerability. So we'd have to walk them through how to fix the vulnerability properly. And realized that it was a much bigger issue where security was either too difficult or too expensive, or it was just not top of mind.

Read MoreHack attacks on hospitals jump 600% this year: CEO

CNBC: Why did you relocate to Silicon Valley?

Borohovski: We originally actually relocated to Boston just for a couple of months 'cause we could live there for free. We have a lot of MIT connections, and we knew a lot of people there and so forth. Eventually, we relocated to the Valley, because everybody told us that it was easier to find financing; it was easier to find customers. We found that we just moved really, really fast out here. Maybe that was good timing; maybe that was the location. But we ended up sticking around, because so far, we've been moving much faster here than anywhere else.

JPMorgan to CNBC: Report of new security breach false
JPMorgan to CNBC: Report of new security breach false